Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    28-10-2020 10:21

General

  • Target

    b76e77b52d682f0938d120f3fe011660.exe

  • Size

    68KB

  • MD5

    b76e77b52d682f0938d120f3fe011660

  • SHA1

    c1fdc71284b5a34b170470a6071626f40f4a4f65

  • SHA256

    0ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a

  • SHA512

    5547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\LhTk7_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBcCCCeADd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- NzMwLVliVEhGU0xCRTNRN3QzajhPdGZwM2NQeFAvYU1SVkI0SDFHZ2Q3YmZWaUdibVI1dllmOCtNcVdvb01vR0RXdHN0RlZoKzU5SG4vMmVxVW5aU3JaMUlqM3RWb24yUzRtaXJCdGRZdjZVcG56MTZlZVM0TzBnMmxoZGJTbDh1NWpXUEkxa29qZCtwMUtyUitBZEc2WjI2bHRkMVNCNENCZW04V29USzBrOFpZSXBTVUdTenRlek5pemt2ZFhHamRTcW9rcVdUcjd2TDRWL3hXeTUvaW90NUtVcmEwUkJ5TUpJOXRSbjltc1lXN1VjcDNHdzZ2eW5nRDQzZ1JIWFM2QVVsOC8vUG9yc2lEMmxTbThNcUo0TkVPYlNHYXVDdVlxVmdQc1J4L21sU1J3bk53V29pMmpzekRBRUZpb2lWbzVQTUFnZzI4d0xmbE9lQitpb1lnUDhWYmZsQzlzZVR4WVFoeHdHT29UbWJHa3YxTGpiNjRXdkVndWtVVDc4Q21JaDc1YVJHWkpJR293bDNldi9JdWNUVUxSN3ZaZkhJME85eU9OOUdLUVEyTmFCOEpBRnI0RVpOSTF5Y1ppWXplOHVEU0lTUktXWkg5OXZJZ2hCekZzSWxVYWlRMy83TitmcUNWazdxS2lyTjVWTWgrRHdNd0wycFgxcTNPeE5lNEJwak1SeXlkM2F6ZUtFKzVMaDlCUi8wNjVsandpSkpMYU83NWlSYTd0ZDlVUVM5N0QrZEZORm5iSkhXWlVIcmxKYnEwVjVTMVkybzBXTVd3Qit5dGpqL0IzSVNMT3czRThseXJWck1DVXJNTlNWSFY1T2xBWGhmL09jVHNoY2daa1Q2SHU0bU5PV2ZTNENvS2t2MkpqcDBmVjZMcjErRDQwVHJ2MU4zUHkwaWd6bUNPbnJWdE1vemorZk1zaXhEdzJNL0daQWZ0NlkyVFFPSnY2Zk5mNWhFV09ZWWFURHZreXg0QlpjMWJzZEo2YXM4UFpzWkRKd3ZDSkVYRmIyV3ZxYjhuek1veUREeU9mdzZjK25nWmlOdUhkWGZXc051MWJqdmJrYkp2dC8zS01sbmJOaEpMRGtsNEN4cTlGOUtJUW5obVJUaFloUFZaWVFycTdmcnN5cTlnaWJYK200TkNYa2VoY1ZlSElPdCtBT1FjV3BIblZzZ1l1TS9BMXMrb092OER2M1R2eUdkYzJoTDdFZVdQY0pnZHBwdFIyTnJmZ1RmNU9aLzRPR2JjQXIzYWxmMnVHRnRwemVkSVh5dk1WSjNsMU82M1RJV2hpVy9WSThyS2YwU25HQ050R1lsQVRaQ0hCbURiVUVlYy84QUkzTVU0OGpmUlNvcmFOeCtNdUhnM1Nib0tjMndPczVTaWwxTkdxd3JwMWpVVEZxb0JUbkV4VlplckU5TzI3cnhueWhMYk5zWTVHbzA1anl1UGVQMEcwM0xqNFY3MFZXL2s4ajNIQ1pYUVIrSGs2aTR4bXExQldkK3c3RldqYjdNTU9qUTV1RDMxbXVkVjVNZ2hhenQxVUkwUTdiOEdFV0Vwem0wZ01iRG93R0VCSEM4aTMvSE5tamxkRVc3NHZMMFFNUEFGWHg5ZHA1cVZLUmE2UzIxMElmR05UTHBQTTR6Q2J1cCtlcE5kM2kyMld1a2xaMThDaWdyQlhtbTlzUStKbFFDaXVYdmtMditSVEVuTTRHNGQxTEV3RnlsbFU2ZkQ3QXJQS3lVeTBEUVlqRE8wVXFrOTVNaUtpcktFSlVmcHY0MHZvbHI3R25DZ0VPcWlIWCthS0MxcnlJNCt1S3loaTFhOTdGNGlETVRMcXhzbmgrelIveEZYVG1KUWFBREJ4Ui9LeFI0U2xDd201YTJpOUNKeWpnZ1FIUTd0RVZTVlY3L2lMQmxnWTFpbk9lVE5icThtaUJHc3ZBa25pUjhhNlU1M0t1Q1l5RDZ0Q25WdytkV1VmanhBTHJjRE1wUTlBa3ZDWEphS0V0T1FHOW5qQ1V4dE55d01DNXJIZDREU2poSWN2WkZNclNKdTNSMVJsQ3c0U1FoLzVGLzAvM2dWaHJndEl3ZlIxTWN4RnNQdTU2cW1JRS91aTBvS0k9 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * XRCTnPx7dpGCEwaU0ME7kpB3Vmy4v
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\LhTk7_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBcCCCeADd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- NzMwLVliVEhGU0xCRTNRN3QzajhPdGZwM2NQeFAvYU1SVkI0SDFHZ2Q3YmZWaUdibVI1dllmOCtNcVdvb01vR0RXdHN0RlZoKzU5SG4vMmVxVW5aU3JaMUlqM3RWb24yUzRtaXJCdGRZdjZVcG56MTZlZVM0TzBnMmxoZGJTbDh1NWpXUEkxa29qZCtwMUtyUitBZEc2WjI2bHRkMVNCNENCZW04V29USzBrOFpZSXBTVUdTenRlek5pemt2ZFhHamRTcW9rcVdUcjd2TDRWL3hXeTUvaW90NUtVcmEwUkJ5TUpJOXRSbjltc1lXN1VjcDNHdzZ2eW5nRDQzZ1JIWFM2QVVsOC8vUG9yc2lEMmxTbThNcUo0TkVPYlNHYXVDdVlxVmdQc1J4L21sU1J3bk53V29pMmpzekRBRUZpb2lWbzVQTUFnZzI4d0xmbE9lQitpb1lnUDhWYmZsQzlzZVR4WVFoeHdHT29UbWJHa3YxTGpiNjRXdkVndWtVVDc4Q21JaDc1YVJHWkpJR293bDNldi9JdWNUVUxSN3ZaZkhJME85eU9OOUdLUVEyTmFCOEpBRnI0RVpOSTF5Y1ppWXplOHVEU0lTUktXWkg5OXZJZ2hCekZzSWxVYWlRMy83TitmcUNWazdxS2lyTjVWTWgrRHdNd0wycFgxcTNPeE5lNEJwak1SeXlkM2F6ZUtFKzVMaDlCUi8wNjVsandpSkpMYU83NWlSYTd0ZDlVUVM5N0QrZEZORm5iSkhXWlVIcmxKYnEwVjVTMVkybzBXTVd3Qit5dGpqL0IzSVNMT3czRThseXJWck1DVXJNTlNWSFY1T2xBWGhmL09jVHNoY2daa1Q2SHU0bU5PV2ZTNENvS2t2MkpqcDBmVjZMcjErRDQwVHJ2MU4zUHkwaWd6bUNPbnJWdE1vemorZk1zaXhEdzJNL0daQWZ0NlkyVFFPSnY2Zk5mNWhFV09ZWWFURHZreXg0QlpjMWJzZEo2YXM4UFpzWkRKd3ZDSkVYRmIyV3ZxYjhuek1veUREeU9mdzZjK25nWmlOdUhkWGZXc051MWJqdmJrYkp2dC8zS01sbmJOaEpMRGtsNEN4cTlGOUtJUW5obVJUaFloUFZaWVFycTdmcnN5cTlnaWJYK200TkNYa2VoY1ZlSElPdCtBT1FjV3BIblZzZ1l1TS9BMXMrb092OER2M1R2eUdkYzJoTDdFZVdQY0pnZHBwdFIyTnJmZ1RmNU9aLzRPR2JjQXIzYWxmMnVHRnRwemVkSVh5dk1WSjNsMU82M1RJV2hpVy9WSThyS2YwU25HQ050R1lsQVRaQ0hCbURiVUVlYy84QUkzTVU0OGpmUlNvcmFOeCtNdUhnM1Nib0tjMndPczVTaWwxTkdxd3JwMWpVVEZxb0JUbkV4VlplckU5TzI3cnhueWhMYk5zWTVHbzA1anl1UGVQMEcwM0xqNFY3MFZXL2s4ajNIQ1pYUVIrSGs2aTR4bXExQldkK3c3RldqYjdNTU9qUTV1RDMxbXVkVjVNZ2hhenQxVUkwUTdiOEdFV0Vwem0wZ01iRG93R0VCSEM4aTMvSE5tamxkRVc3NHZMMFFNUEFGWHg5ZHA1cVZLUmE2UzIxMElmR05UTHBQTTR6Q2J1cCtlcE5kM2kyMld1a2xaMThDaWdyQlhtbTlzUStKbFFDaXVYdmtMditSVEVuTTRHNGQxTEV3RnlsbFU2ZkQ3QXJQS3lVeTBEUVlqRE8wVXFrOTVNaUtpcktFSlVmcHY0MHZvbHI3R25DZ0VPcWlIWCthS0MxcnlJNCt1S3loaTFhOTdGNGlETVRMcXhzbmgrelIveEZYVG1KUWFBREJ4Ui9LeFI0U2xDd201YTJpOUNKeWpnZ1FIUTd0RVZTVlY3L2lMQmxnWTFpbk9lVE5icThtaUJHc3ZBa25pUjhhNlU1M0t1Q1l5RDZ0Q25WdytkV1VmanhBTHJjRE1wUTlBa3ZDWEphS0V0T1FHOW5qQ1V4dE55d01DNXJIZDREU2poSWN2WkZNclNKdTNSMVJsQ3c0U1FoLzVGLzAvM2dWaHJndEl3ZlIxTWN4RnNQdTU2cW1JRS91aTBvS0k9 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * u
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Default\LhTk7_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBcCCCeADd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- NzMwLVliVEhGU0xCRTNRN3QzajhPdGZwM2NQeFAvYU1SVkI0SDFHZ2Q3YmZWaUdibVI1dllmOCtNcVdvb01vR0RXdHN0RlZoKzU5SG4vMmVxVW5aU3JaMUlqM3RWb24yUzRtaXJCdGRZdjZVcG56MTZlZVM0TzBnMmxoZGJTbDh1NWpXUEkxa29qZCtwMUtyUitBZEc2WjI2bHRkMVNCNENCZW04V29USzBrOFpZSXBTVUdTenRlek5pemt2ZFhHamRTcW9rcVdUcjd2TDRWL3hXeTUvaW90NUtVcmEwUkJ5TUpJOXRSbjltc1lXN1VjcDNHdzZ2eW5nRDQzZ1JIWFM2QVVsOC8vUG9yc2lEMmxTbThNcUo0TkVPYlNHYXVDdVlxVmdQc1J4L21sU1J3bk53V29pMmpzekRBRUZpb2lWbzVQTUFnZzI4d0xmbE9lQitpb1lnUDhWYmZsQzlzZVR4WVFoeHdHT29UbWJHa3YxTGpiNjRXdkVndWtVVDc4Q21JaDc1YVJHWkpJR293bDNldi9JdWNUVUxSN3ZaZkhJME85eU9OOUdLUVEyTmFCOEpBRnI0RVpOSTF5Y1ppWXplOHVEU0lTUktXWkg5OXZJZ2hCekZzSWxVYWlRMy83TitmcUNWazdxS2lyTjVWTWgrRHdNd0wycFgxcTNPeE5lNEJwak1SeXlkM2F6ZUtFKzVMaDlCUi8wNjVsandpSkpMYU83NWlSYTd0ZDlVUVM5N0QrZEZORm5iSkhXWlVIcmxKYnEwVjVTMVkybzBXTVd3Qit5dGpqL0IzSVNMT3czRThseXJWck1DVXJNTlNWSFY1T2xBWGhmL09jVHNoY2daa1Q2SHU0bU5PV2ZTNENvS2t2MkpqcDBmVjZMcjErRDQwVHJ2MU4zUHkwaWd6bUNPbnJWdE1vemorZk1zaXhEdzJNL0daQWZ0NlkyVFFPSnY2Zk5mNWhFV09ZWWFURHZreXg0QlpjMWJzZEo2YXM4UFpzWkRKd3ZDSkVYRmIyV3ZxYjhuek1veUREeU9mdzZjK25nWmlOdUhkWGZXc051MWJqdmJrYkp2dC8zS01sbmJOaEpMRGtsNEN4cTlGOUtJUW5obVJUaFloUFZaWVFycTdmcnN5cTlnaWJYK200TkNYa2VoY1ZlSElPdCtBT1FjV3BIblZzZ1l1TS9BMXMrb092OER2M1R2eUdkYzJoTDdFZVdQY0pnZHBwdFIyTnJmZ1RmNU9aLzRPR2JjQXIzYWxmMnVHRnRwemVkSVh5dk1WSjNsMU82M1RJV2hpVy9WSThyS2YwU25HQ050R1lsQVRaQ0hCbURiVUVlYy84QUkzTVU0OGpmUlNvcmFOeCtNdUhnM1Nib0tjMndPczVTaWwxTkdxd3JwMWpVVEZxb0JUbkV4VlplckU5TzI3cnhueWhMYk5zWTVHbzA1anl1UGVQMEcwM0xqNFY3MFZXL2s4ajNIQ1pYUVIrSGs2aTR4bXExQldkK3c3RldqYjdNTU9qUTV1RDMxbXVkVjVNZ2hhenQxVUkwUTdiOEdFV0Vwem0wZ01iRG93R0VCSEM4aTMvSE5tamxkRVc3NHZMMFFNUEFGWHg5ZHA1cVZLUmE2UzIxMElmR05UTHBQTTR6Q2J1cCtlcE5kM2kyMld1a2xaMThDaWdyQlhtbTlzUStKbFFDaXVYdmtMditSVEVuTTRHNGQxTEV3RnlsbFU2ZkQ3QXJQS3lVeTBEUVlqRE8wVXFrOTVNaUtpcktFSlVmcHY0MHZvbHI3R25DZ0VPcWlIWCthS0MxcnlJNCt1S3loaTFhOTdGNGlETVRMcXhzbmgrelIveEZYVG1KUWFBREJ4Ui9LeFI0U2xDd201YTJpOUNKeWpnZ1FIUTd0RVZTVlY3L2lMQmxnWTFpbk9lVE5icThtaUJHc3ZBa25pUjhhNlU1M0t1Q1l5RDZ0Q25WdytkV1VmanhBTHJjRE1wUTlBa3ZDWEphS0V0T1FHOW5qQ1V4dE55d01DNXJIZDREU2poSWN2WkZNclNKdTNSMVJsQ3c0U1FoLzVGLzAvM2dWaHJndEl3ZlIxTWN4RnNQdTU2cW1JRS91aTBvS0k9 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * GCOg
URLs

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon Ransomware 7 IoCs
  • Phorphiex Payload 3 IoCs
  • Phorphiex Worm

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • UAC bypass 3 TTPs
  • Windows security bypass 2 TTPs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Executes dropped EXE 4 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 4 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 683 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 112 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b76e77b52d682f0938d120f3fe011660.exe
    "C:\Users\Admin\AppData\Local\Temp\b76e77b52d682f0938d120f3fe011660.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\25942123283630\winsvcs.exe
      C:\25942123283630\winsvcs.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Users\Admin\AppData\Local\Temp\1955617763.exe
        C:\Users\Admin\AppData\Local\Temp\1955617763.exe
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:800
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:532
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic.exe SHADOWCOPY /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:884
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
          4⤵
            PID:920
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
            4⤵
              PID:972
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
              4⤵
                PID:1652
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                4⤵
                  PID:288
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1572
                  • C:\Windows\SysWOW64\vssadmin.exe
                    vssadmin.exe Delete Shadows /All /Quiet
                    5⤵
                    • Interacts with shadow copies
                    PID:752
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1696
                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                    wmic.exe SHADOWCOPY /nointeractive
                    5⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1448
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
                  4⤵
                    PID:1888
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
                    4⤵
                      PID:1636
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
                      4⤵
                        PID:1344
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                        4⤵
                          PID:2044
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
                          4⤵
                            PID:1664
                            • C:\Windows\SysWOW64\vssadmin.exe
                              vssadmin.exe Delete Shadows /All /Quiet
                              5⤵
                              • Interacts with shadow copies
                              PID:688
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
                            4⤵
                              PID:1496
                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                wmic.exe SHADOWCOPY /nointeractive
                                5⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:748
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
                              4⤵
                                PID:1476
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
                                4⤵
                                  PID:1544
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
                                  4⤵
                                    PID:560
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                    4⤵
                                      PID:660
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
                                      4⤵
                                        PID:1344
                                        • C:\Windows\SysWOW64\vssadmin.exe
                                          vssadmin.exe Delete Shadows /All /Quiet
                                          5⤵
                                          • Interacts with shadow copies
                                          PID:1700
                                    • C:\Users\Admin\AppData\Local\Temp\2181510612.exe
                                      C:\Users\Admin\AppData\Local\Temp\2181510612.exe
                                      3⤵
                                      • Executes dropped EXE
                                      PID:920
                                • C:\Windows\system32\vssvc.exe
                                  C:\Windows\system32\vssvc.exe
                                  1⤵
                                  • Modifies service
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1428
                                • C:\Windows\system32\taskeng.exe
                                  taskeng.exe {98EEE717-8586-4086-AB62-F975607CAA44} S-1-5-21-4210623931-3856158591-1213714290-1000:VDIPBIOF\Admin:Interactive:[1]
                                  1⤵
                                    PID:1188
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1955617763.exe
                                      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1955617763.exe
                                      2⤵
                                      • Executes dropped EXE
                                      PID:1604

                                  Network

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\25942123283630\winsvcs.exe

                                    MD5

                                    b76e77b52d682f0938d120f3fe011660

                                    SHA1

                                    c1fdc71284b5a34b170470a6071626f40f4a4f65

                                    SHA256

                                    0ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a

                                    SHA512

                                    5547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177

                                  • C:\25942123283630\winsvcs.exe

                                    MD5

                                    b76e77b52d682f0938d120f3fe011660

                                    SHA1

                                    c1fdc71284b5a34b170470a6071626f40f4a4f65

                                    SHA256

                                    0ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a

                                    SHA512

                                    5547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177

                                  • C:\Users\Admin\AppData\Local\Temp\1955617763.exe

                                    MD5

                                    f653e6890e4afe6eb4081b3f94189dad

                                    SHA1

                                    a19718f52fa1f2dcba2acec7a4556f0dc77793d9

                                    SHA256

                                    d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2

                                    SHA512

                                    e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2

                                  • C:\Users\Admin\AppData\Local\Temp\1955617763.exe

                                    MD5

                                    f653e6890e4afe6eb4081b3f94189dad

                                    SHA1

                                    a19718f52fa1f2dcba2acec7a4556f0dc77793d9

                                    SHA256

                                    d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2

                                    SHA512

                                    e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2

                                  • C:\Users\Admin\AppData\Local\Temp\2181510612.exe

                                    MD5

                                    f653e6890e4afe6eb4081b3f94189dad

                                    SHA1

                                    a19718f52fa1f2dcba2acec7a4556f0dc77793d9

                                    SHA256

                                    d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2

                                    SHA512

                                    e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1955617763.exe

                                    MD5

                                    f653e6890e4afe6eb4081b3f94189dad

                                    SHA1

                                    a19718f52fa1f2dcba2acec7a4556f0dc77793d9

                                    SHA256

                                    d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2

                                    SHA512

                                    e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1955617763.exe

                                    MD5

                                    f653e6890e4afe6eb4081b3f94189dad

                                    SHA1

                                    a19718f52fa1f2dcba2acec7a4556f0dc77793d9

                                    SHA256

                                    d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2

                                    SHA512

                                    e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2

                                  • \25942123283630\winsvcs.exe

                                    MD5

                                    b76e77b52d682f0938d120f3fe011660

                                    SHA1

                                    c1fdc71284b5a34b170470a6071626f40f4a4f65

                                    SHA256

                                    0ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a

                                    SHA512

                                    5547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177

                                  • \Users\Admin\AppData\Local\Temp\1955617763.exe

                                    MD5

                                    f653e6890e4afe6eb4081b3f94189dad

                                    SHA1

                                    a19718f52fa1f2dcba2acec7a4556f0dc77793d9

                                    SHA256

                                    d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2

                                    SHA512

                                    e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2

                                  • \Users\Admin\AppData\Local\Temp\2181510612.exe

                                    MD5

                                    f653e6890e4afe6eb4081b3f94189dad

                                    SHA1

                                    a19718f52fa1f2dcba2acec7a4556f0dc77793d9

                                    SHA256

                                    d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2

                                    SHA512

                                    e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2

                                  • memory/288-14-0x0000000000000000-mapping.dmp

                                  • memory/532-9-0x0000000000000000-mapping.dmp

                                  • memory/560-29-0x0000000000000000-mapping.dmp

                                  • memory/660-30-0x0000000000000000-mapping.dmp

                                  • memory/688-27-0x0000000000000000-mapping.dmp

                                  • memory/748-28-0x0000000000000000-mapping.dmp

                                  • memory/752-20-0x0000000000000000-mapping.dmp

                                  • memory/800-6-0x0000000000000000-mapping.dmp

                                  • memory/884-13-0x0000000000000000-mapping.dmp

                                  • memory/920-34-0x0000000000000000-mapping.dmp

                                  • memory/920-10-0x0000000000000000-mapping.dmp

                                  • memory/972-11-0x0000000000000000-mapping.dmp

                                  • memory/1344-31-0x0000000000000000-mapping.dmp

                                  • memory/1344-21-0x0000000000000000-mapping.dmp

                                  • memory/1448-18-0x0000000000000000-mapping.dmp

                                  • memory/1476-25-0x0000000000000000-mapping.dmp

                                  • memory/1496-24-0x0000000000000000-mapping.dmp

                                  • memory/1544-26-0x0000000000000000-mapping.dmp

                                  • memory/1572-15-0x0000000000000000-mapping.dmp

                                  • memory/1604-37-0x0000000000000000-mapping.dmp

                                  • memory/1628-1-0x0000000000000000-mapping.dmp

                                  • memory/1636-19-0x0000000000000000-mapping.dmp

                                  • memory/1652-12-0x0000000000000000-mapping.dmp

                                  • memory/1664-23-0x0000000000000000-mapping.dmp

                                  • memory/1668-4-0x000007FEF84A0000-0x000007FEF871A000-memory.dmp

                                    Filesize

                                    2.5MB

                                  • memory/1696-16-0x0000000000000000-mapping.dmp

                                  • memory/1700-32-0x0000000000000000-mapping.dmp

                                  • memory/1888-17-0x0000000000000000-mapping.dmp

                                  • memory/2044-22-0x0000000000000000-mapping.dmp