{"Event":{"info":"OSINT - How we discovered a Ukranian cybercrime hotspot","Tag":[{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:malpedia=\"win.gandcrab\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:ransomware=\"GandCrab\""},{"colour":"#ffffff","exportable":true,"name":"tlp:white"},{"colour":"#2c4f00","exportable":true,"name":"malware_classification:malware-category=\"Ransomware\""},{"colour":"#00223b","exportable":true,"name":"osint:source-type=\"blog-post\""}],"publish_timestamp":"0","timestamp":"1540287402","Object":[{"comment":"Windows security center stops monitoring the \r\nstatus of an antivirus protection","template_uuid":"8b3228ad-6d82-4fe6-b2ae-05426308f1d5","uuid":"5bcdd845-8e88-4c09-a35d-4e4f950d210f","sharing_group_id":"0","timestamp":"1540216901","description":"Registry key object describing a Windows registry key with value and last-modified timestamp","template_version":"4","Attribute":[{"comment":"","category":"Persistence mechanism","uuid":"5bcdd845-ce48-46cd-b50d-4b19950d210f","timestamp":"1540216901","to_ids":true,"value":"HKLM\\SOFTWARE\\Microsoft\\Security Center\\AntiVirusOverride","disable_correlation":false,"object_relation":"key","type":"regkey"},{"comment":"","category":"Persistence mechanism","uuid":"5bcdd847-b4d4-423c-9397-4759950d210f","timestamp":"1540216903","to_ids":false,"value":"1","disable_correlation":false,"object_relation":"data","type":"text"},{"comment":"","category":"Other","uuid":"5bcdd851-bbe8-41a7-ae9b-47bd950d210f","timestamp":"1540216913","to_ids":false,"value":"HKLM","disable_correlation":true,"object_relation":"root-keys","type":"text"},{"comment":"","category":"Persistence mechanism","uuid":"5bcdd851-5cf8-4f2f-825e-4aae950d210f","timestamp":"1540216913","to_ids":false,"value":"REG_NONE","disable_correlation":true,"object_relation":"data-type","type":"text"}],"distribution":"5","meta-category":"file","name":"registry-key"},{"comment":"No clear documentation available but it seems like it disables the antivirus updates.","template_uuid":"8b3228ad-6d82-4fe6-b2ae-05426308f1d5","uuid":"5bcecafe-9d14-4881-9aa2-4f6f950d210f","sharing_group_id":"0","timestamp":"1540279038","description":"Registry key object describing a Windows registry key with value and last-modified timestamp","template_version":"4","Attribute":[{"comment":"","category":"Persistence mechanism","uuid":"5bcecaff-033c-47e3-ba7a-4e7c950d210f","timestamp":"1540279039","to_ids":true,"value":"HKLM\\SOFTWARE\\Microsoft\\Security Center\\UpdatesOverride","disable_correlation":false,"object_relation":"key","type":"regkey"},{"comment":"","category":"Persistence mechanism","uuid":"5bcecb02-6c6c-4cee-95a0-4bbf950d210f","timestamp":"1540279042","to_ids":false,"value":"1","disable_correlation":false,"object_relation":"data","type":"text"},{"comment":"","category":"Other","uuid":"5bcecb07-158c-4c76-9a5a-48a4950d210f","timestamp":"1540279047","to_ids":false,"value":"HKLM","disable_correlation":true,"object_relation":"root-keys","type":"text"},{"comment":"","category":"Persistence mechanism","uuid":"5bcecb09-2000-4994-b7e0-48f8950d210f","timestamp":"1540279049","to_ids":false,"value":"REG_NONE","disable_correlation":true,"object_relation":"data-type","type":"text"}],"distribution":"5","meta-category":"file","name":"registry-key"},{"comment":"Turns of the firewall","template_uuid":"8b3228ad-6d82-4fe6-b2ae-05426308f1d5","uuid":"5bcecdb3-6f40-48b7-b0a8-429a950d210f","sharing_group_id":"0","timestamp":"1540280108","description":"Registry key object describing a Windows registry key with value and last-modified timestamp","template_version":"4","Attribute":[{"comment":"","category":"Persistence mechanism","uuid":"5bcecdb3-b774-47a1-8cc2-4360950d210f","timestamp":"1540280108","to_ids":true,"value":"HKLM\\SOFTWARE\\Microsoft\\Security Center\\FirewallOverride",