Overview
overview
10Static
static
10323389cde5...f3.exe
windows7-x64
1323389cde5...f3.exe
windows10-2004-x64
1365712147d...a7.exe
windows7-x64
10365712147d...a7.exe
windows10-2004-x64
105474e75872...06.exe
windows7-x64
105474e75872...06.exe
windows10-2004-x64
1059c59ef90d...4d.exe
windows7-x64
1059c59ef90d...4d.exe
windows10-2004-x64
1063fb410fc5...22.exe
windows7-x64
763fb410fc5...22.exe
windows10-2004-x64
79443472de4...e5.exe
windows7-x64
19443472de4...e5.exe
windows10-2004-x64
197a877b999...8d.exe
windows7-x64
1097a877b999...8d.exe
windows10-2004-x64
10a0f5def5aa...93.exe
windows7-x64
1a0f5def5aa...93.exe
windows10-2004-x64
1abfe442282...b1.exe
windows7-x64
1abfe442282...b1.exe
windows10-2004-x64
1b21f34ecfa...73.exe
windows7-x64
9b21f34ecfa...73.exe
windows10-2004-x64
9svchost.exe
windows7-x64
9svchost.exe
windows10-2004-x64
9b8ce017478...a8.exe
windows7-x64
9b8ce017478...a8.exe
windows10-2004-x64
9bbb4627895...f2.exe
windows7-x64
1bbb4627895...f2.exe
windows10-2004-x64
1bdf06acf03...63.exe
windows7-x64
1bdf06acf03...63.exe
windows10-2004-x64
1db3529a2d9...81.exe
windows7-x64
1db3529a2d9...81.exe
windows10-2004-x64
1e24b84c020...db.exe
windows7-x64
9e24b84c020...db.exe
windows10-2004-x64
9General
-
Target
Cat Research 2023-07-15.zip
-
Size
4.5MB
-
Sample
240121-r8k8waeac5
-
MD5
e56e18b0de08e733d57e92e6d033bf17
-
SHA1
0e8d037a03a1855b3614174ba7e1a98424314449
-
SHA256
ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16
-
SHA512
ea9ed41545b843b89d5638c59448d53cf0e20298f2fa09989898ba1771626ce71d1661782980c6a826c2eabe0bb55145df09f5ae87a412474992d7013257c15d
-
SSDEEP
98304:vampW+t8jmbIlfnE3+2mNntZaXItRbFLbf7jLxPbM0biQaMYQ/j/:vampW+6jmOlbNm4tRFLjLxjpso7
Behavioral task
behavioral1
Sample
323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral9
Sample
63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
svchost.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
svchost.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2.exe
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163.exe
Resource
win7-20231129-en
Behavioral task
behavioral28
Sample
bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral29
Sample
db3529a2d96f82af48dd8b93615cf89ee5e0c9fe84d70222b30adcb947602881.exe
Resource
win7-20231129-en
Behavioral task
behavioral30
Sample
db3529a2d96f82af48dd8b93615cf89ee5e0c9fe84d70222b30adcb947602881.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral31
Sample
e24b84c0201106d00cb293da0216414c8bc60de61d8de5f7ffdcd660e67317db.exe
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
e24b84c0201106d00cb293da0216414c8bc60de61d8de5f7ffdcd660e67317db.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
F:\How_to_back_files.html
Extracted
C:\odt\How_to_back_files.html
Extracted
C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\readme.txt
http://paymen45oxzpnouz.onion/5e1a7c2620
Extracted
C:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\readme.txt
http://paymen45oxzpnouz.onion/e862abe0e5
Extracted
C:\Users\Admin\Favorites\Links\How To Recover Encrypted Files.hta
Extracted
C:\Users\Admin\Downloads\How To Recover Encrypted Files.hta
Extracted
F:\$RECYCLE.BIN\readme.txt
http://paymen45oxzpnouz.onion/d128dec973
Extracted
C:\$Recycle.Bin\S-1-5-21-1168293393-3419776239-306423207-1000\readme.txt
http://paymen45oxzpnouz.onion/2fe680d14f
Targets
-
-
Target
323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3
-
Size
1.4MB
-
MD5
b0b732188bc83ee4ad3b5e5b7dd34a26
-
SHA1
4c1e68eebda46ead2563192b137f42b7a976ed2b
-
SHA256
323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3
-
SHA512
51f2328cdd77ff287814618c9cb617da0f2c2fa189f466a633adb80b10c1fe0b2eaddcb3dfb58df9344181294294485f4a7527c3e5dac5964f2054bf779746a4
-
SSDEEP
24576:l8ku9/++Rod4z2JOtqKf6bvkbRbEAsk7fQl7z:mkGi4DdRbdEAwl7z
Score1/10 -
-
-
Target
365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7
-
Size
450KB
-
MD5
e70b33103c17c000ac11025d2d8e70a1
-
SHA1
df898d9d0e8e6f2d4eb5d4742d4c206092cdcb34
-
SHA256
365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7
-
SHA512
632461a9c6bff4e013cf3e77a7262d1daaa8775156c61c70dab685ae59114b22d00a47a0214204f6c514c6be77ad5b0c371a889076072fdb1eaf574cb6d4c42c
-
SSDEEP
12288:krYn2GbqdcOuAKi1kcwyEOywAx1gT+yFCv6oE4E:kcNbqdFtVkcwyEOix1GtFCv6F4E
Score10/10-
Renames multiple (8391) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506
-
Size
263KB
-
MD5
111e7dd338f7a7db306c95e05797747f
-
SHA1
aff72034cbbc21693425306ad42b1bb182582743
-
SHA256
5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506
-
SHA512
215ee93c5faf2af3a55cceed281b56aecb5990baf4ae508f02eb481c7c22081f05b73a2657279205ff5d4edfc63722ea1405a9e8cdf65939021c9f052ffb6fec
-
SSDEEP
6144:jeHgRe/IfHES0cVZrDjuNywKGOCWVoYkNMbU:jeHgM4HxZG1KGjWVoVO
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d
-
Size
477KB
-
MD5
ebbb782bafaa3ab64a3e4b006a698fe0
-
SHA1
2800cd4dd62ba63f38d0452bf80cb35b4359a3dd
-
SHA256
59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d
-
SHA512
cd6681d7987901eb27064c4a833052abccef60383f9b0e53360ae9e3e66a19d0d0405bdeb5a609c7d668aa8720eb49f5fc3f060920ec042ec6584eebfd9f09ae
-
SSDEEP
6144:ko4FuDncVzUJOH5bpX3Q92J6fHgaEFx9BQOJvZTsMJfOg2lOMxPEiarVb0J0:kzuwVzUW5bN3Y6LmO13Gg2IMyxrt0u
Score10/10-
Renames multiple (8414) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Drops desktop.ini file(s)
-
-
-
Target
63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222
-
Size
924KB
-
MD5
ec9c3efe831aaa203058927df7de6138
-
SHA1
b77581e047551a70aaba0db7a57349136bd9e411
-
SHA256
63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222
-
SHA512
0d5aedcebaa660f345c549b9ae07b4d18fc01b563907b378c1cd905029bb0c6f6849e0f03c7c4a724c3448eb9c693138265a0b0129a298af3aada9bb0f447d6a
-
SSDEEP
12288:tZqu3sRwqpxGCMF3dera2ybCPWy5SqZWj+6GJZy82VS1ToBgdoByOHGae0r2ivr:B3yEoro2PEpUA
Score7/10-
Adds Run key to start application
-
-
-
Target
9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5
-
Size
102KB
-
MD5
9cea7a7505d2eff4b1109d0e70a52baf
-
SHA1
455fab0bf9e5f3e27c232aea89904c929db0a92b
-
SHA256
9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5
-
SHA512
681fd65cb210f215db206f165e3a86ecc83285e928eab6e1660e33ea182f8b3059e1e68f9377faf47d2ccddad4c1b0019a4252febfb91b90b6f070d2ca0c7764
-
SSDEEP
1536:SeN+oVQkMaz9GRQl4g9FlpIm1QUnv2+qQl4g9FlpIm1i:hbVQkIg9FlCv3g9FlCJ
Score1/10 -
-
-
Target
97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d
-
Size
333KB
-
MD5
db88a1bd11ca3aab7a0890a10a10f45d
-
SHA1
0e01e118613962e364b76869bcfb9d26cf0a6505
-
SHA256
97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d
-
SHA512
b6e374ea42e023d973baa2c8c3ce8c34a7c8ffa1aefd52f787eb51f980e1e1f8c2c6081d90cd0cf1b15166b86ed57dc2d7b9adde5021dd00cc629f8aae8df023
-
SSDEEP
6144:YemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8ABInatk1:/9cm+M9vFl/1HrNInatk1
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Renames multiple (7544) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593
-
Size
41KB
-
MD5
a06225459ff7b32f1408726f5d8007cf
-
SHA1
db14f8b54194f41383a0a0b1f181020d93774268
-
SHA256
a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593
-
SHA512
0401e6423b359020161c26c9583d55007b00de451831e9523d752941d9815f63cd74f7cd649da4232070a2dbef2c9e584bf62a3d656532cdc2d32a06d8d305e5
-
SSDEEP
768:lL+ntTLPgn6CI1uGukUcjI2Hp9xG6e7j6oERZVvrd7SRBl+Lkl+XkvDuQndwjv:lwtTLEtI1RUcdJ861s0cJdw
Score1/10 -
-
-
Target
abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1
-
Size
352KB
-
MD5
04f36999713a138ebde1adbdd7aa01f6
-
SHA1
a3c66353d9ea491f96dc63f0e9d8cb0878e1123d
-
SHA256
abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1
-
SHA512
484ea18d1ed358156058d185b46a9e0caf4a44a710e638a75109996e1a974b935b3f3a0fdf5c04d2c64ec1d7e2f8fac28e2a0cf09461bc881e21f9b19c329fa6
-
SSDEEP
768:GoXcYoibzZl5KMIjz9ofRouZ1OTgggggggggggggggggggggggggggggggggggg3:G4Tb55oua8byL76qXXZ5oulx3yzFH+
Score1/10 -
-
-
Target
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273
-
Size
352KB
-
MD5
4f88b5e510ecbd0adefdfc87c552289c
-
SHA1
047ec67b8e3c001086284d7176b2d239db565fb5
-
SHA256
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273
-
SHA512
75b86d6de4bec5285559f7e9a0dbf46df48dbdf78386023e5f8668a7814bc1db5322d8bf9d306cfd65175112b94366641d671175d59d3edacc3d2b2ba802f348
-
SSDEEP
6144:X9PrHO8306KFnBCzDIZXY3HJmui45mkA2/1:drHBpgkDuoEuXbJ
Score9/10-
Renames multiple (123) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
svchost.exe
-
Size
1.4MB
-
MD5
1e56e3201f99af1f63c3b95b6d05d64f
-
SHA1
f5d32ac198ed52ded940ff5fffb1f513bb2b607f
-
SHA256
b8e40563f749016a1557ea461198661f501eadddba50d6528ffe4e9c52664666
-
SHA512
36b77e56cf6d5c07a6a62cb5ff21e3316db2a70d4c285649cdc48d6403b8eb27c8c01b483f9bff135e92ea66e203871e783231f4938af1202e51389006c13f83
-
SSDEEP
24576:Wmchf1ZHB7TZqSsulRicD2fdxs1isw/c169CDX/S6o1JLax:WVfvDqSsu2cAdxvvE0ADS
-
Clears Windows event logs
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Creates new service(s)
-
Stops running service(s)
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8
-
Size
245KB
-
MD5
78db42a978dbaeec6b87e718b0e00160
-
SHA1
226616df9b26e9ca327805755b75813ad67c1f3f
-
SHA256
b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8
-
SHA512
8a8a29eb8679512ab214d16b3e207a4545dbd63a8410ce41eef8d2c249131a5947a157344932b6041feb3084ad14d437627d754a34b977a6c2f71159a54b2b5c
-
SSDEEP
6144:ZU1aQUdyXTFDhznLOoAM4zkw7nMnp5PdleQRWsvBoCRt7Y0x:ZUQd4TFJLOolqk/72QksvBBt7Y0
Score9/10-
Renames multiple (180) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2
-
Size
131KB
-
MD5
6dd2b52d5af3fb6591d52a695a09d025
-
SHA1
9ec21f57bf3f524dccca9e78f95974c7e4951785
-
SHA256
bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2
-
SHA512
5a0c63c6163df1315a24bca6307aedec584a563fac17f7f3ab7e8f7fd57f189fd9db8dcb1d53b9f756ec7f7c721041958925202ab43868bfc57ddb2d3b3cd59a
-
SSDEEP
3072:oZIzt7KLtx3kaKP/V0ZLKaQvPS5rrT0tYHJdP73wJOvpPX7:oezNqTADa5rrTLJFcJ8P
Score1/10 -
-
-
Target
bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163
-
Size
41KB
-
MD5
ef51aa91d5cbed5f57b85571b528bf7e
-
SHA1
fbaaac20cff25f931c3480165ebf3b7ee9f7e4b3
-
SHA256
bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163
-
SHA512
c84fb47cc627c5148841b7a2a72abe17aabd18d449a2f46a6a538ef27a2de7a753c8431c5a0930502ea26ed60fea77310436e812e0c494e9523370aabf64fea5
-
SSDEEP
768:BL+ntTLPgnHCI1uGukUcjI2Hp9xG6e7j6oERZVvrd7SRBl+Lkl+XkvDgYGZwRSAb:BwtTLEiI1RUcdJ861s0cgBZwMH
Score1/10 -
-
-
Target
db3529a2d96f82af48dd8b93615cf89ee5e0c9fe84d70222b30adcb947602881
-
Size
213KB
-
MD5
4b1d5fe23b954f6c80dd3f6ea0b0a0fb
-
SHA1
0aa970ec5a3b3c9f4731230b8186c4ed0b996136
-
SHA256
db3529a2d96f82af48dd8b93615cf89ee5e0c9fe84d70222b30adcb947602881
-
SHA512
02837a35d55d70d1b3ee62faa002b5731799055370576516dc86125081369114325722c23e55a5b6cb047e1e9c15d91eb52495155895d818a38f108b4aeca041
-
SSDEEP
3072:LL+mK4nBPd9/9h9OL7LUaaQS4zQtb5N5aw3IH3I/3Id:LC74BFHh9OL7NaQSoubc0IXIPI
Score1/10 -
-
-
Target
e24b84c0201106d00cb293da0216414c8bc60de61d8de5f7ffdcd660e67317db
-
Size
11KB
-
MD5
f4d8bb082b0d03efd6990cc2f4336165
-
SHA1
48abb4773cdc2c70ea90aa4f38a8942f8bca60f3
-
SHA256
e24b84c0201106d00cb293da0216414c8bc60de61d8de5f7ffdcd660e67317db
-
SHA512
2fca524f0aa0f3bf9605f8a7007dfe14f1383f976ce519299fc0991a073d78961ecf1c1d84671016f8814dd55dcf78a7c8d1ebe86cd7f59c53f1874e8a0d65da
-
SSDEEP
192:5QEguYoCj6K4KRUZJqBEjTedm53AebdKS5p:5GOKRUZ9aC7
Score9/10-
Renames multiple (1631) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
1Indicator Removal
4File Deletion
3Modify Registry
4