hive | 25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5

Analysis

max time kernel
471s
max time network
454s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Size

884KB
MD5

da13022097518d123a91a3958be326da
SHA1

24a71ab462594d5a159bbf176588af951aba1381
SHA256

25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
SHA512

a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f
SSDEEP

12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw

Score

10^/10

hive evasion ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\Program Files\EGdu_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data or to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: jxkdVr8zZs5J Password: GHTM6Qgqyhqs4nMH53ZD To get access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.uj1ps files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid	Process
1980	wevtutil.exe
4536	wevtutil.exe
4720	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3120-0-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-1-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-37-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-79-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-2942-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-5640-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-6095-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-7510-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-7876-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-7883-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-7888-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-7903-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-7910-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-7915-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-7920-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-7925-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx
behavioral2/memory/3120-7968-0x0000000000A10000-0x0000000000D22000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa-YJ2WxdaMLDPKe7Rtyj28X.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\MedTile.scale-125.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2140f8bb.pri	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\webviewBoot.min.js	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phone-small.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\BadgeLogo.scale-100.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Crossmark_White@1x.png.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa8RWdoMfmWQV9fonjVzcNUf.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\ui-strings.js.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa9pnIkFxVWjZX5HnkbDo4UF.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa96X8VfddfgLpvkQltjWgNW.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-48_altform-unplated.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-60.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa_rij_hYpVcJ9o0buc168QS.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircleHover.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa-1VirbIlQgDxJc-RsRoT0O.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\EGdu_HOW_TO_DECRYPT.txt	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa_WB_9l5RnyIuWLVLJteUEn.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-48_altform-unplated.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\EGdu_HOW_TO_DECRYPT.txt	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa_N8frNlHMGcIE8hCT5E1IB.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\WideTile.scale-125.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-white_scale-200.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosWideTile.scale-200.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa_GZftDZdmSHcncMimbhwZO.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\AddressBook.png.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa98wgZKkSUpWDUWzrrSSlx9.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\EGdu_HOW_TO_DECRYPT.txt	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\EGdu_HOW_TO_DECRYPT.txt	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa_Sj_WvkOtSCGpHjGQ8MKc7.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa8R-XrG1xvYZq3ywgeWC6Nd.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-125.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa-foTVhpQhTWJ88YGaCPktJ.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa97CfpNezPxVvzEved3xBYm.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa_QDymuVSK-JJAUVsC5OwZC.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_altform-unplated_contrast-black.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\catalog.json.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa_Z4ajN7CfGPexLf33L8oQ-.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-black.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-white_scale-100.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ui-strings.js.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa-RPx9FPeO6SffZIQTFAv0d.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\EGdu_HOW_TO_DECRYPT.txt	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\EGdu_HOW_TO_DECRYPT.txt	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\SONORA.ELM.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa-c1Cc4EDKwLYWicDwcFrFu.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\StartScreen\Tips_Image.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\View3d\3DViewerProductDescription-universal.xml	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-US\tokens_enUS.xml	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymxb.ttf	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\EGdu_HOW_TO_DECRYPT.txt	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa9dTMDzlDpJAOkfC3rCFqYa.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-256.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\eliseGibson.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\logo.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa-nshCVhh_GHnKQQsvzVsAL.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa-2RRxK9AjNC9OGbKcDGLoW.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa_mKDBKoikhT_9GzDSfn34G.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\EGdu_HOW_TO_DECRYPT.txt	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js.dnwMUKa-PJoY1Kc5L4NegWl5fxfk7szZQiiU90DtMa_xaD2VV3zbQlpf_4y2kAhE.uj1ps	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-150.png	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\7.jpg	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
5028	sc.exe
2752	sc.exe
2760	sc.exe
1292	sc.exe
3916	sc.exe
1928	sc.exe
740	sc.exe
3348	sc.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

Processes:

NOTEPAD.EXEnotepad.exe

pid	Process
928	NOTEPAD.EXE
4480	notepad.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1388	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exewindows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe

pid	Process
3556	powershell.exe
3556	powershell.exe
3160	powershell.exe
3160	powershell.exe
3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exe

description	pid	Process
Token: SeSecurityPrivilege	1980	wevtutil.exe
Token: SeBackupPrivilege	1980	wevtutil.exe
Token: SeSecurityPrivilege	4536	wevtutil.exe
Token: SeBackupPrivilege	4536	wevtutil.exe
Token: SeSecurityPrivilege	4720	wevtutil.exe
Token: SeBackupPrivilege	4720	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	3560	wmic.exe
Token: SeSecurityPrivilege	3560	wmic.exe
Token: SeTakeOwnershipPrivilege	3560	wmic.exe
Token: SeLoadDriverPrivilege	3560	wmic.exe
Token: SeSystemProfilePrivilege	3560	wmic.exe
Token: SeSystemtimePrivilege	3560	wmic.exe
Token: SeProfSingleProcessPrivilege	3560	wmic.exe
Token: SeIncBasePriorityPrivilege	3560	wmic.exe
Token: SeCreatePagefilePrivilege	3560	wmic.exe
Token: SeBackupPrivilege	3560	wmic.exe
Token: SeRestorePrivilege	3560	wmic.exe
Token: SeShutdownPrivilege	3560	wmic.exe
Token: SeDebugPrivilege	3560	wmic.exe
Token: SeSystemEnvironmentPrivilege	3560	wmic.exe
Token: SeRemoteShutdownPrivilege	3560	wmic.exe
Token: SeUndockPrivilege	3560	wmic.exe
Token: SeManageVolumePrivilege	3560	wmic.exe
Token: 33	3560	wmic.exe
Token: 34	3560	wmic.exe
Token: 35	3560	wmic.exe
Token: 36	3560	wmic.exe
Token: SeIncreaseQuotaPrivilege	232	wmic.exe
Token: SeSecurityPrivilege	232	wmic.exe
Token: SeTakeOwnershipPrivilege	232	wmic.exe
Token: SeLoadDriverPrivilege	232	wmic.exe
Token: SeSystemProfilePrivilege	232	wmic.exe
Token: SeSystemtimePrivilege	232	wmic.exe
Token: SeProfSingleProcessPrivilege	232	wmic.exe
Token: SeIncBasePriorityPrivilege	232	wmic.exe
Token: SeCreatePagefilePrivilege	232	wmic.exe
Token: SeBackupPrivilege	232	wmic.exe
Token: SeRestorePrivilege	232	wmic.exe
Token: SeShutdownPrivilege	232	wmic.exe
Token: SeDebugPrivilege	232	wmic.exe
Token: SeSystemEnvironmentPrivilege	232	wmic.exe
Token: SeRemoteShutdownPrivilege	232	wmic.exe
Token: SeUndockPrivilege	232	wmic.exe
Token: SeManageVolumePrivilege	232	wmic.exe
Token: 33	232	wmic.exe
Token: 34	232	wmic.exe
Token: 35	232	wmic.exe
Token: 36	232	wmic.exe
Token: SeIncreaseQuotaPrivilege	232	wmic.exe
Token: SeSecurityPrivilege	232	wmic.exe
Token: SeTakeOwnershipPrivilege	232	wmic.exe
Token: SeLoadDriverPrivilege	232	wmic.exe
Token: SeSystemProfilePrivilege	232	wmic.exe
Token: SeSystemtimePrivilege	232	wmic.exe
Token: SeProfSingleProcessPrivilege	232	wmic.exe
Token: SeIncBasePriorityPrivilege	232	wmic.exe
Token: SeCreatePagefilePrivilege	232	wmic.exe
Token: SeBackupPrivilege	232	wmic.exe
Token: SeRestorePrivilege	232	wmic.exe
Token: SeShutdownPrivilege	232	wmic.exe
Token: SeDebugPrivilege	232	wmic.exe
Token: SeSystemEnvironmentPrivilege	232	wmic.exe
Token: SeRemoteShutdownPrivilege	232	wmic.exe
Token: SeUndockPrivilege	232	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	Process	procid_target
PID 3120 wrote to memory of 1052	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	93
PID 3120 wrote to memory of 1052	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	93
PID 3120 wrote to memory of 1052	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	93
PID 1052 wrote to memory of 3352	1052	net.exe	95
PID 1052 wrote to memory of 3352	1052	net.exe	95
PID 1052 wrote to memory of 3352	1052	net.exe	95
PID 3120 wrote to memory of 3292	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	96
PID 3120 wrote to memory of 3292	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	96
PID 3120 wrote to memory of 3292	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	96
PID 3292 wrote to memory of 2148	3292	net.exe	98
PID 3292 wrote to memory of 2148	3292	net.exe	98
PID 3292 wrote to memory of 2148	3292	net.exe	98
PID 3120 wrote to memory of 1776	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	99
PID 3120 wrote to memory of 1776	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	99
PID 3120 wrote to memory of 1776	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	99
PID 1776 wrote to memory of 4956	1776	net.exe	101
PID 1776 wrote to memory of 4956	1776	net.exe	101
PID 1776 wrote to memory of 4956	1776	net.exe	101
PID 3120 wrote to memory of 3172	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	102
PID 3120 wrote to memory of 3172	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	102
PID 3120 wrote to memory of 3172	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	102
PID 3172 wrote to memory of 3972	3172	net.exe	104
PID 3172 wrote to memory of 3972	3172	net.exe	104
PID 3172 wrote to memory of 3972	3172	net.exe	104
PID 3120 wrote to memory of 4008	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	105
PID 3120 wrote to memory of 4008	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	105
PID 3120 wrote to memory of 4008	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	105
PID 4008 wrote to memory of 5112	4008	net.exe	107
PID 4008 wrote to memory of 5112	4008	net.exe	107
PID 4008 wrote to memory of 5112	4008	net.exe	107
PID 3120 wrote to memory of 4572	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	108
PID 3120 wrote to memory of 4572	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	108
PID 3120 wrote to memory of 4572	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	108
PID 4572 wrote to memory of 4128	4572	net.exe	110
PID 4572 wrote to memory of 4128	4572	net.exe	110
PID 4572 wrote to memory of 4128	4572	net.exe	110
PID 3120 wrote to memory of 1844	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	111
PID 3120 wrote to memory of 1844	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	111
PID 3120 wrote to memory of 1844	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	111
PID 1844 wrote to memory of 2964	1844	net.exe	113
PID 1844 wrote to memory of 2964	1844	net.exe	113
PID 1844 wrote to memory of 2964	1844	net.exe	113
PID 3120 wrote to memory of 2056	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	114
PID 3120 wrote to memory of 2056	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	114
PID 3120 wrote to memory of 2056	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	114
PID 2056 wrote to memory of 3124	2056	net.exe	116
PID 2056 wrote to memory of 3124	2056	net.exe	116
PID 2056 wrote to memory of 3124	2056	net.exe	116
PID 3120 wrote to memory of 3916	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	117
PID 3120 wrote to memory of 3916	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	117
PID 3120 wrote to memory of 3916	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	117
PID 3120 wrote to memory of 1928	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	119
PID 3120 wrote to memory of 1928	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	119
PID 3120 wrote to memory of 1928	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	119
PID 3120 wrote to memory of 740	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	121
PID 3120 wrote to memory of 740	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	121
PID 3120 wrote to memory of 740	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	121
PID 3120 wrote to memory of 3348	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	123
PID 3120 wrote to memory of 3348	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	123
PID 3120 wrote to memory of 3348	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	123
PID 3120 wrote to memory of 5028	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	125
PID 3120 wrote to memory of 5028	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	125
PID 3120 wrote to memory of 5028	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	125
PID 3120 wrote to memory of 2752	3120	windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe	127

C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
"C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:3352
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:2148
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:4956
- C:\Windows\SysWOW64\net.exe
  net.exe stop "vmicvss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "vmicvss" /y
    3⤵
    PID:3972
- C:\Windows\SysWOW64\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:5112
- C:\Windows\SysWOW64\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:4128
- C:\Windows\SysWOW64\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:2964
- C:\Windows\SysWOW64\net.exe
  net.exe stop "UnistoreSvc_26699" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UnistoreSvc_26699" /y
    3⤵
    PID:3124
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:3916
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:1928
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:740
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "vmicvss" start= disabled
  2⤵
  - Launches sc.exe
  PID:3348
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:5028
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:2752
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:2760
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "UnistoreSvc_26699" start= disabled
  2⤵
  - Launches sc.exe
  PID:1292
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3524
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:1572
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:3196
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:4560
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:4696
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1036
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4428
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4844
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1708
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1412
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:1416
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:3280
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:4988
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:3972
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1996
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3816
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:3852
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:2952
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:4288
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:4112
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:1804
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:4544
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:4824
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:560
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:5040
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:4504
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:3804
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1040
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4176
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4976
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2400
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:4060
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2000
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:4616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3160
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe C:\EGdu_HOW_TO_DECRYPT.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"
  2⤵
  PID:3340
- - C:\Windows\SysWOW64\PING.EXE
    ping.exe -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1388

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EGdu_HOW_TO_DECRYPT.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\EGdu_HOW_TO_DECRYPT.txt

Filesize
1KB

MD5
4e68cfad3f3cbef5406c90fd9e9d7931

SHA1
504d53957bbed8e1a612c791eec7abdd17bd15bc

SHA256
51dc299391f9b3eca411936a0d01781ad68799d282655e0d20c8c8521aa8e014

SHA512
78c89847c3a7c128e5d54c3fff0e41c89a61722730b9d02d9c7e0b6985ce8188c3c37b6357a71c30f7e34c8b78f94599a186be6c189e56f6ccb832033e77172a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bd65a5b390afea6a6ca27ace4650971e

SHA1
b5502a6a262c3bf6371ef0db29f2010ad1e1d1ac

SHA256
56e69fd18236f3221ecef39adfaa624e54f0b35a2db151b69ab60e0bd4af47b5

SHA512
2be24e63607e5a79e66d9acf4ce77806ee14de039693af07f40fa6532685329036866fd2746b04afb0062d07119c265ee3a9a1a17db3872c73761b6088eca316

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2nkicoyb.0vm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\temp3.swap.uj1ps

Filesize
42.1MB

MD5
7e973a1952ade6c83082f7ed8dce3695

SHA1
acd3a2481c47e03c5b39a213d863a3aff02b2d44

SHA256
7a283b05f265ce7c7b9d1b8f9a2a37a5fc66bfa04be5ebe3c88a3027cb4a8764

SHA512
2a7b013330acc2731deec5010c4bd827f1ba9918c92de8324a8944735ae4df348259b5aef6a8af831fff3f102be41067454424908ccb11cf551236189c31b9bf

Download Submit
memory/3120-0-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-5640-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-7910-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-7903-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-7888-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-7920-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-7883-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-7925-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-7876-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-7968-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-7510-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-1-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-6095-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-7915-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-37-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-2942-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3120-79-0x0000000000A10000-0x0000000000D22000-memory.dmp

Filesize
3.1MB

Download
memory/3160-80-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/3160-82-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/3160-69-0x0000000074B40000-0x0000000074B8C000-memory.dmp

Filesize
304KB

Download
memory/3160-68-0x000000007F500000-0x000000007F510000-memory.dmp

Filesize
64KB

Download
memory/3160-66-0x0000000006500000-0x0000000006854000-memory.dmp

Filesize
3.3MB

Download
memory/3160-56-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/3160-55-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/3160-54-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/3524-4-0x00000000756B8000-0x00000000756B9000-memory.dmp

Filesize
4KB

Download
memory/3556-24-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/3556-52-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/3556-49-0x0000000007E70000-0x0000000007E78000-memory.dmp

Filesize
32KB

Download
memory/3556-48-0x0000000007E90000-0x0000000007EAA000-memory.dmp

Filesize
104KB

Download
memory/3556-47-0x0000000007D90000-0x0000000007DA4000-memory.dmp

Filesize
80KB

Download
memory/3556-46-0x0000000007D80000-0x0000000007D8E000-memory.dmp

Filesize
56KB

Download
memory/3556-45-0x0000000007D50000-0x0000000007D61000-memory.dmp

Filesize
68KB

Download
memory/3556-44-0x0000000007DD0000-0x0000000007E66000-memory.dmp

Filesize
600KB

Download
memory/3556-43-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

Filesize
40KB

Download
memory/3556-42-0x0000000007B50000-0x0000000007B6A000-memory.dmp

Filesize
104KB

Download
memory/3556-41-0x0000000008190000-0x000000000880A000-memory.dmp

Filesize
6.5MB

Download
memory/3556-40-0x0000000007A30000-0x0000000007AD3000-memory.dmp

Filesize
652KB

Download
memory/3556-39-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/3556-38-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/3556-36-0x00000000077B0000-0x00000000077CE000-memory.dmp

Filesize
120KB

Download
memory/3556-26-0x0000000074B40000-0x0000000074B8C000-memory.dmp

Filesize
304KB

Download
memory/3556-25-0x00000000077F0000-0x0000000007822000-memory.dmp

Filesize
200KB

Download
memory/3556-23-0x0000000006870000-0x00000000068BC000-memory.dmp

Filesize
304KB

Download
memory/3556-22-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download
memory/3556-21-0x0000000006210000-0x0000000006564000-memory.dmp

Filesize
3.3MB

Download
memory/3556-11-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/3556-10-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/3556-9-0x0000000005850000-0x0000000005872000-memory.dmp

Filesize
136KB

Download
memory/3556-8-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download
memory/3556-7-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/3556-6-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/3556-5-0x0000000005290000-0x00000000052C6000-memory.dmp

Filesize
216KB

Download