4fd594d6b504845b7e05d9b129bd36b2f7fd9dd71403b4a3a3d0c3b7a882f4e2

Analysis

max time kernel
145s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
13/03/2024, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InstallDefenderUI.exe
Size

3.7MB
MD5

d0d4b05c2b9b7cd1b056cd619580c854
SHA1

31e772d20daa64b497622da4a54743b829f32bd0
SHA256

4fd594d6b504845b7e05d9b129bd36b2f7fd9dd71403b4a3a3d0c3b7a882f4e2
SHA512

435984efe7d87609eef25ab552727303b724d5a29d9383c60beb8e3216fa58da8db9df22065684e6cf2c2002029d968839f4677d9aeb0bef960e82ed78e3c95c
SSDEEP

98304:skLyNo01VA4hzP2ixt4RAamul5hmN5JmX7b5eNoy12:LKs4RPx/4Yc5OXeHa12

Score

8^/10

discovery evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DefenderUI\Localizations\de-DE\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\uk-UA\DefenderUI.resources.dll	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\is-VG45S.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\pt-PT\is-N51TU.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\pt-BR\is-BG1JT.tmp	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\bg-BG\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\hu-HU\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\ro-RO\DefenderUI.resources.dll	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\is-3L42F.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\is-T1FOK.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\bg-BG\is-REL7J.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\ro-RO\is-B8C2V.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\unins000.msg	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\DefenderUIService.InstallState	DefenderUIService.exe
File opened for modification	C:\Program Files\DefenderUI\Localizations\da-DK\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\ja-JP\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\pt-BR\DefenderUI.resources.dll	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\is-0FDQB.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\sv-SE\is-D6KP3.tmp	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\pt-PT\DefenderUI.resources.dll	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\zh-CN\is-73U7R.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\fi-FI\is-C4F7A.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\hu-HU\is-6POFS.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\ru-RU\is-DI4KH.tmp	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\lt-LT\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\cs-CZ\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\sv-SE\DefenderUI.resources.dll	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\is-COSS8.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\et-EE\is-R4I3K.tmp	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\DefenderUIService.InstallLog	DefenderUIService.exe
File opened for modification	C:\Program Files\DefenderUI\Localizations\sk-SK\DefenderUI.resources.dll	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\fr-FR\is-HNVMU.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\ja-JP\is-VQ63D.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\sk-SK\is-P1SBH.tmp	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\et-EE\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\fi-FI\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\fr-FR\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\tr-TR\DefenderUI.resources.dll	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\da-DK\is-C5M2B.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\ko-KR\is-QM1NU.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\uk-UA\is-V60JG.tmp	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\DefenderUIService.exe	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\ko-KR\DefenderUI.resources.dll	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\el-GR\is-MVIKO.tmp	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\ClearAndRepairProtectionHistory.exe	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\es-ES\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\lv-LV\DefenderUI.resources.dll	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\cs-CZ\is-FQVPC.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\nl-NL\is-19M5B.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\de-DE\is-H2KNC.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\it-IT\is-DSF0O.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\sl-SI\is-2IBQS.tmp	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\DefenderUI.exe	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\it-IT\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\ru-RU\DefenderUI.resources.dll	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\nl-NL\DefenderUI.resources.dll	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\es-ES\is-RHTKS.tmp	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\el-GR\DefenderUI.resources.dll	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\is-L3K18.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\is-PNESB.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\lv-LV\is-AKT2Q.tmp	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\Localizations\tr-TR\is-HB6PF.tmp	InstallDefenderUI.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\pl-PL\DefenderUI.resources.dll	InstallDefenderUI.tmp
File created	C:\Program Files\DefenderUI\unins000.dat	InstallDefenderUI.tmp

Executes dropped EXE 6 IoCs

pid	Process
2740	InstallDefenderUI.tmp
1044	DefenderUIService.exe
5012	DefenderUIService.exe
2876	DefenderUI.exe
540	DefenderUI.exe
384	DefenderUI.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
392	sc.exe
4868	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2032	taskkill.exe
3112	taskkill.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Add Exclusion\ = "DefenderUI Add Exclusion"	InstallDefenderUI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Add Exclusion\Icon = "\"C:\\Program Files\\DefenderUI\\DefenderUI.exe\",0"	InstallDefenderUI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Add Exclusion\MultiSelectModel = "Single"	InstallDefenderUI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\DefenderUI Add Exclusion\ = "DefenderUI Add Exclusion"	InstallDefenderUI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\DefenderUI Add Exclusion\MultiSelectModel = "Single"	InstallDefenderUI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\DefenderUI Add Exclusion\command\ = "\"C:\\Program Files\\DefenderUI\\DefenderUI.exe\" \"%1 /addfolderexclusion\""	InstallDefenderUI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Add Exclusion	InstallDefenderUI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Add Exclusion\command\ = "\"C:\\Program Files\\DefenderUI\\DefenderUI.exe\" \"%1 /addfileexclusion\""	InstallDefenderUI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\DefenderUI Add Exclusion	InstallDefenderUI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\DefenderUI Add Exclusion\Icon = "\"C:\\Program Files\\DefenderUI\\DefenderUI.exe\",0"	InstallDefenderUI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\DefenderUI Add Exclusion\command	InstallDefenderUI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Add Exclusion\command	InstallDefenderUI.tmp

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DefenderUIService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DefenderUIService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	DefenderUIService.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2740	InstallDefenderUI.tmp
2740	InstallDefenderUI.tmp
2740	InstallDefenderUI.tmp
2740	InstallDefenderUI.tmp
5012	DefenderUIService.exe
5012	DefenderUIService.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	5012	DefenderUIService.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2740	InstallDefenderUI.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2740	1780	InstallDefenderUI.exe	80
PID 1780 wrote to memory of 2740	1780	InstallDefenderUI.exe	80
PID 1780 wrote to memory of 2740	1780	InstallDefenderUI.exe	80
PID 2740 wrote to memory of 2032	2740	InstallDefenderUI.tmp	82
PID 2740 wrote to memory of 2032	2740	InstallDefenderUI.tmp	82
PID 2740 wrote to memory of 2032	2740	InstallDefenderUI.tmp	82
PID 2740 wrote to memory of 3112	2740	InstallDefenderUI.tmp	84
PID 2740 wrote to memory of 3112	2740	InstallDefenderUI.tmp	84
PID 2740 wrote to memory of 3112	2740	InstallDefenderUI.tmp	84
PID 2740 wrote to memory of 392	2740	InstallDefenderUI.tmp	86
PID 2740 wrote to memory of 392	2740	InstallDefenderUI.tmp	86
PID 2740 wrote to memory of 392	2740	InstallDefenderUI.tmp	86
PID 2740 wrote to memory of 1044	2740	InstallDefenderUI.tmp	92
PID 2740 wrote to memory of 1044	2740	InstallDefenderUI.tmp	92
PID 5012 wrote to memory of 2876	5012	DefenderUIService.exe	95
PID 5012 wrote to memory of 2876	5012	DefenderUIService.exe	95
PID 2740 wrote to memory of 4868	2740	InstallDefenderUI.tmp	96
PID 2740 wrote to memory of 4868	2740	InstallDefenderUI.tmp	96

C:\Users\Admin\AppData\Local\Temp\InstallDefenderUI.exe
"C:\Users\Admin\AppData\Local\Temp\InstallDefenderUI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\is-1CB9B.tmp\InstallDefenderUI.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1CB9B.tmp\InstallDefenderUI.tmp" /SL5="$C004C,2962819,1072128,C:\Users\Admin\AppData\Local\Temp\InstallDefenderUI.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im DefenderUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im DefenderUIService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop DefenderUIService
    3⤵
    - Launches sc.exe
    PID:392
- - C:\Program Files\DefenderUI\DefenderUIService.exe
    "C:\Program Files\DefenderUI\DefenderUIService.exe" --install
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Modifies system certificate store
    PID:1044
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" sdset DefenderUIService D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
    3⤵
    - Launches sc.exe
    PID:4868

C:\Program Files\DefenderUI\DefenderUIService.exe
"C:\Program Files\DefenderUI\DefenderUIService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Program Files\DefenderUI\DefenderUI.exe
  "C:\Program Files\DefenderUI\DefenderUI.exe"
  2⤵
  - Executes dropped EXE
  PID:2876

C:\Program Files\DefenderUI\DefenderUI.exe
"C:\Program Files\DefenderUI\DefenderUI.exe" /sw
1⤵
- Executes dropped EXE
PID:540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3304

C:\Program Files\DefenderUI\DefenderUI.exe
"C:\Program Files\DefenderUI\DefenderUI.exe" /sw
1⤵
- Executes dropped EXE
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DefenderUI\DefenderUI.exe

Filesize
926KB

MD5
1ab799964953ff86378d99fb4efc5df3

SHA1
33797d4425ee0dd6bb2741f5b4d33eefcacfb85f

SHA256
b37e88231d14c1a555d02404c888f2f498c0c507bd7da6a263966389102fe51e

SHA512
271f777e776721afec4f1013fc0cbd33b429f6eac5ba622d3ab152a90874e17aa299756412ffdbe7efdbe197afff1aa9d59a85ba94dea2dfecba5ffd81584b12

Download Submit
C:\Program Files\DefenderUI\DefenderUI.exe.config

Filesize
1KB

MD5
36f7f88d6d95958be77bf1480101f149

SHA1
2599a397018e0ec73ec2b657ba0917ae68caea22

SHA256
e15ec30bc8de4d3126da5717262801b95bc273c927b84864c0bb9787a9ce174e

SHA512
0f26720dca3e5b5c4756736f3f2b28ebece5ff0a53147ed7bb5f06c28fabe17026a11234e8c1412e12eaf302198b6e449073393cb92c5f08238f503cbfd8a600

Download Submit
C:\Program Files\DefenderUI\DefenderUIService.InstallLog

Filesize
865B

MD5
5b6388f1f9f4a91c4fbee0a61367ca24

SHA1
ca63d34edb365c2ea35e14cb9a73cc823df07177

SHA256
f6e5bbd75aab174b6d8316e7aea12c67e2467618293786d19d6a42a5a66ec680

SHA512
d038d6bbe839ba0cb96aae09258764769c80389337f0d421f71a7bb94b93ad828aa685623908cc5f888c4048cd6970cf349d9ce1efc71241b9b1ae091beedc17

Download Submit
C:\Program Files\DefenderUI\DefenderUIService.exe

Filesize
333KB

MD5
37156a8e5b77992f0567d73dc2c23aad

SHA1
1358bc9468f96cbf31111660debb51c512a96c96

SHA256
18365a56dbe3c376a025741f7b7198d2d7f579d8f20906f14e9d226e4272552b

SHA512
6073cdd3bcee0c669faf0fa09738b7b8604ce07fa505420e497aae0ef67700fa2768cebcb081e1256f18da6e11840505116730a2ec3c3135f608aed6717b67b3

Download Submit
C:\Program Files\DefenderUI\DefenderUIService.exe.config

Filesize
1KB

MD5
8601f442efebfa652ba88fe057411a3a

SHA1
9a59e83c7f1da071ee30945744ebeedcfc467e90

SHA256
fae8b2996603e19f77b736e5e210f749c443f2b371374389a5321bf92462e582

SHA512
51709c40605af3ab3d7a0840e71275d51ad778ec3daad217503bdd9eb2d053593bbe0ad6262edb99b0269f64706551579e4e28960b5913b2a12c9a2d64186a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1CB9B.tmp\InstallDefenderUI.tmp

Filesize
3.3MB

MD5
44da3dcc727f727f00f81e025ce6a359

SHA1
47f4d663f949c2d016d937d08fd8356addfdf670

SHA256
f35cf25818a082f066d69796085caaead8600c2c453dddec9062be85816b5413

SHA512
cd847755121ee9d3a7aaca4e4766decbe81319b3bad60b76c21faa310e6d53d5fc72471ef75eedc7ac7c47b5599ad13a296bbdfa2f7c6b62b9567c682ecf0cdd

Download Submit
memory/384-169-0x0000020779BE0000-0x0000020779BF0000-memory.dmp

Filesize
64KB

Download
memory/384-168-0x00007FFD3BA80000-0x00007FFD3C542000-memory.dmp

Filesize
10.8MB

Download
memory/384-170-0x0000020779BE0000-0x0000020779BF0000-memory.dmp

Filesize
64KB

Download
memory/384-171-0x0000020779BE0000-0x0000020779BF0000-memory.dmp

Filesize
64KB

Download
memory/384-172-0x0000020779BE0000-0x0000020779BF0000-memory.dmp

Filesize
64KB

Download
memory/384-173-0x000002077A750000-0x000002077A903000-memory.dmp

Filesize
1.7MB

Download
memory/384-174-0x00007FFD3BA80000-0x00007FFD3C542000-memory.dmp

Filesize
10.8MB

Download
memory/540-164-0x0000015CF2420000-0x0000015CF2430000-memory.dmp

Filesize
64KB

Download
memory/540-166-0x00007FFD3BA80000-0x00007FFD3C542000-memory.dmp

Filesize
10.8MB

Download
memory/540-161-0x00007FFD3BA80000-0x00007FFD3C542000-memory.dmp

Filesize
10.8MB

Download
memory/540-162-0x0000015CF2420000-0x0000015CF2430000-memory.dmp

Filesize
64KB

Download
memory/540-163-0x0000015CF2420000-0x0000015CF2430000-memory.dmp

Filesize
64KB

Download
memory/540-165-0x0000015CF2750000-0x0000015CF2903000-memory.dmp

Filesize
1.7MB

Download
memory/1044-110-0x0000019711EA0000-0x0000019711EDC000-memory.dmp

Filesize
240KB

Download
memory/1044-109-0x0000019710660000-0x0000019710672000-memory.dmp

Filesize
72KB

Download
memory/1044-108-0x000001972A960000-0x000001972A970000-memory.dmp

Filesize
64KB

Download
memory/1044-103-0x00007FFD3BA80000-0x00007FFD3C542000-memory.dmp

Filesize
10.8MB

Download
memory/1044-98-0x00000197101C0000-0x0000019710216000-memory.dmp

Filesize
344KB

Download
memory/1044-146-0x00007FFD3BA80000-0x00007FFD3C542000-memory.dmp

Filesize
10.8MB

Download
memory/1780-107-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1780-152-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1780-0-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2740-151-0x0000000000400000-0x000000000074F000-memory.dmp

Filesize
3.3MB

Download
memory/2740-145-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2740-119-0x0000000000400000-0x000000000074F000-memory.dmp

Filesize
3.3MB

Download
memory/2740-5-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2876-147-0x000002725A4A0000-0x000002725A4B0000-memory.dmp

Filesize
64KB

Download
memory/2876-153-0x000002725CBB0000-0x000002725CC4C000-memory.dmp

Filesize
624KB

Download
memory/2876-142-0x000002723FD30000-0x000002723FE1A000-memory.dmp

Filesize
936KB

Download
memory/2876-157-0x00007FFD3BA80000-0x00007FFD3C542000-memory.dmp

Filesize
10.8MB

Download
memory/2876-156-0x000002725A600000-0x000002725A7B3000-memory.dmp

Filesize
1.7MB

Download
memory/2876-155-0x000002725A4A0000-0x000002725A4B0000-memory.dmp

Filesize
64KB

Download
memory/2876-154-0x000002725A4A0000-0x000002725A4B0000-memory.dmp

Filesize
64KB

Download
memory/2876-144-0x00007FFD3BA80000-0x00007FFD3C542000-memory.dmp

Filesize
10.8MB

Download
memory/5012-160-0x000001DA80AE0000-0x000001DA80AF0000-memory.dmp

Filesize
64KB

Download
memory/5012-158-0x00007FFD3BA80000-0x00007FFD3C542000-memory.dmp

Filesize
10.8MB

Download
memory/5012-137-0x000001DB00280000-0x000001DB0038A000-memory.dmp

Filesize
1.0MB

Download
memory/5012-136-0x000001DB00120000-0x000001DB00170000-memory.dmp

Filesize
320KB

Download
memory/5012-135-0x000001DB000A0000-0x000001DB000C8000-memory.dmp

Filesize
160KB

Download
memory/5012-134-0x000001DA80AE0000-0x000001DA80AF0000-memory.dmp

Filesize
64KB

Download
memory/5012-133-0x00007FFD3BA80000-0x00007FFD3C542000-memory.dmp

Filesize
10.8MB

Download