Overview

overview

10

Static

static

locker.exe

windows7_x64

10

locker.exe

windows10_x64

10

Resubmissions

05/06/2021, 10:47

210605-skygsg584e 10

05/06/2021, 00:09

210605-x97dqrb7je 10

Analysis

  • max time kernel
    23s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05/06/2021, 00:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    locker.exe

  • Size

    448KB

  • MD5

    306c47fcb51611bee1ef804c95c7007f

  • SHA1

    9cb58078b3fe2119329e482561d0c7cb740e937c

  • SHA256

    877c612cf42d85b943010437599b828383ecdf02a17e2b017367db34637e5463

  • SHA512

    3ca64189450cf3c3e9867d79c66ee428a5b72b1f45c06243a4a6ab64a2dfd8970d19dc1fba6404468650afac5341a0affae61e05de501180ec6ead20c333f720

Score
10/10
evasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\PROTECT_INFO.TXT

Ransom Note
############## YOUR FILES WERE ENCRYPTED ############## ########### AND MARKED BY EXTENSION .nermer ############ -- YOUR FILES ARE SAFE! ONLY MODIFIED :: ChaCha + AES WE STRONGLY RECOMMEND you NOT to use any Decryption Tools. These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. -- To get RSA private key you have to contact us via the link below, located in the TOR private network. Using this link you can get all the necessary support and make payment. You just have to download and install the TOR browser (google it) via official site >> http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php << -- If you have any problems with TOR browser, email us: >><< and send us your id: >> {13E20776-DF4D-99C4-1333850A2129120C} << -- HOW to understand that we are NOT scammers? You can ask SUPPORT for the TEST-decryption for ONE file! -- After the successful payment and decrypting your files, we will give you FULL instructions HOW to IMPROVE your security system. We ready to answer all your questions! -- ################ LIST OF ENCRYPTED FILES ############### C:\Boot\BCD 0 C:\Boot\BCD.LOG 0 C:\Boot\BCD.LOG1 0 C:\Boot\BCD.LOG2 0 C:\Boot\bg-BG\bootmgr.exe.mui 77728 C:\bootmgr 395220 C:\BOOTNXT 1 C:\vcredist2010_x64.log-MSI_vc_red.msi.txt 388418 C:\Boot\cs-CZ\bootmgr.exe.mui 76704 C:\Boot\updaterevokesipolicy.p7b 4662 C:\vcredist2010_x64.log.html 87838 C:\Boot\cs-CZ\memtest.exe.mui 45472 C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log 171238 C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log 199220 C:\Boot\da-DK\bootmgr.exe.mui 75672 C:\Boot\da-DK\memtest.exe.mui 45472 C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log 173680 C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log 194816 C:\Boot\el-GR\bootmgr.exe.mui 80288 C:\Boot\en-GB\bootmgr.exe.mui 74144 C:\Boot\de-DE\bootmgr.exe.mui 79264 C:\Boot\el-GR\memtest.exe.mui 46496 C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log 122640 C:\Boot\de-DE\memtest.exe.mui 45984 C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log 133518 C:\Boot\en-US\bootmgr.exe.mui 74144 C:\Boot\es-ES\bootmgr.exe.mui 77728 C:\Boot\en-US\memtest.exe.mui 44960 C:\Boot\es-MX\bootmgr.exe.mui 77720 C:\Boot\es-ES\memtest.exe.mui 45984 C:\Boot\et-EE\bootmgr.exe.mui 75160 C:\Boot\fi-FI\bootmgr.exe.mui 76696 C:\Boot\fr-CA\bootmgr.exe.mui 79264 C:\Boot\fi-FI\memtest.exe.mui 45472 C:\Boot\fr-FR\bootmgr.exe.mui 79264 C:\Boot\fr-FR\memtest.exe.mui 45984 C:\Boot\hr-HR\bootmgr.exe.mui 76696 C:\Boot\Fonts\chs_boot.ttf 3695719 C:\Boot\hu-HU\bootmgr.exe.mui 78752 C:\Boot\it-IT\bootmgr.exe.mui 77208 C:\Boot\hu-HU\memtest.exe.mui 45976 C:\Boot\it-IT\memtest.exe.mui 45472 C:\Boot\Fonts\cht_boot.ttf 3878410 C:\Boot\ja-JP\bootmgr.exe.mui 67488 C:\Boot\ja-JP\memtest.exe.mui 42904 C:\Boot\Fonts\jpn_boot.ttf 1985867 C:\Boot\ko-KR\bootmgr.exe.mui 66976 C:\Boot\ko-KR\memtest.exe.mui 42912 C:\Boot\lt-LT\bootmgr.exe.mui 75672 C:\Boot\Fonts\kor_boot.ttf 2373000 C:\Boot\Fonts\malgunn_boot.ttf 174959 C:\Boot\lv-LV\bootmgr.exe.mui 75680 C:\Boot\Fonts\malgun_boot.ttf 177414 C:\Boot\Fonts\meiryon_boot.ttf 143754 C:\Boot\Fonts\meiryo_boot.ttf 145419 C:\Boot\nb-NO\bootmgr.exe.mui 75672 C:\Boot\nl-NL\bootmgr.exe.mui 77728 C:\Boot\Fonts\msjhn_boot.ttf 162331 C:\Boot\nb-NO\memtest.exe.mui 45472 C:\Boot\nl-NL\memtest.exe.mui 45472 C:\Boot\Fonts\msjh_boot.ttf 164347 C:\Boot\pl-PL\bootmgr.exe.mui 77728 C:\Boot\pl-PL\memtest.exe.mui 45984 C:\Boot\Fonts\msyhn_boot.ttf 154427 C:\Boot\qps-ploc\bootmgr.exe.mui 83360 C:\Boot\pt-PT\bootmgr.exe.mui 76696 C:\Boot\Fonts\msyh_boot.ttf 156245 C:\Boot\pt-BR\bootmgr.exe.mui 76704 C:\Boot\Fonts\segmono_boot.ttf 44859 C:\Boot\qps-ploc\memtest.exe.mui 54176 C:\Boot\pt-PT\memtest.exe.mui 45984 C:\Boot\pt-BR\memtest.exe.mui 45472 C:\Boot\Fonts\segoen_slboot.ttf 85862 C:\Boot\Fonts\segoe_slboot.ttf 86178 C:\Boot\ro-RO\bootmgr.exe.mui 76184 C:\Boot\Fonts\wgl4_boot.ttf 49091 C:\Boot\ru-RU\bootmgr.exe.mui 77208 C:\Boot\ru-RU\memtest.exe.mui 44960 C:\Boot\sk-SK\bootmgr.exe.mui 77216 C:\Boot\sl-SI\bootmgr.exe.mui 76704 C:\Boot\sr-Latn-RS\bootmgr.exe.mui 77216 C:\Boot\sv-SE\bootmgr.exe.mui 76192 C:\Boot\tr-TR\bootmgr.exe.mui 75168 C:\Boot\sv-SE\memtest.exe.mui 44952 C:\Boot\tr-TR\memtest.exe.mui 45472 C:\odt\config.xml 688 C:\Boot\uk-UA\bootmgr.exe.mui 77216 C:\Boot\zh-CN\bootmgr.exe.mui 63904 C:\Boot\zh-TW\bootmgr.exe.mui 63904 C:\Boot\zh-CN\memtest.exe.mui 42400 C:\Boot\Resources\en-US\bootres.dll.mui 12192 C:\Boot\zh-TW\memtest.exe.mui 42392 C:\Users\Admin\ntuser.dat.LOG1 0 C:\Users\Admin\ntuser.dat.LOG2 0 C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf 0 C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms 0 C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms 0 C:\Users\Default\NTUSER.DAT.LOG1 40960 C:\Users\Default\NTUSER.DAT.LOG2 0 C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf 65536 C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms 524288 C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms 524288 C:\Recovery\WindowsRE\boot.sdi 3170304 C:\Recovery\WindowsRE\ReAgent.xml 1081 C:\Recovery\WindowsRE\Winre.wim 344829634 C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp 50 C:\Users\Admin\Desktop\AssertEdit.gif 336028 C:\Users\Admin\Desktop\AssertResume.ppt 283660 C:\Users\Admin\Desktop\BlockSync.vsd 257476 C:\Users\Admin\Desktop\ClearAssert.xsl 196380 C:\Users\Admin\Desktop\CloseResize.dwfx 161468 C:\Users\Admin\Desktop\ComparePop.tiff 222564 C:\Users\Admin\Desktop\CompleteSend.rle 248748 C:\Users\Admin\Desktop\ConnectReceive.xhtml 344756 C:\Users\Admin\Desktop\GroupPublish.lock 178924 C:\Users\Admin\Desktop\InitializeCompress.eprtx 126556 C:\Users\Admin\Desktop\InitializePush.ttf 240020 C:\Users\Admin\Desktop\NewInitialize.ADT 309844 C:\Users\Admin\Documents\ApproveUninstall.htm 604188 C:\Users\Admin\Desktop\PopSwitch.mpg 497280 C:\Users\Admin\Documents\Are.docx 11525 C:\Users\Admin\Desktop\ProtectDisconnect.rle 353484 C:\Users\Admin\Documents\AssertWrite.txt 627426 C:\Users\Admin\Desktop\PublishWatch.emz 318572 C:\Users\Admin\Desktop\RemoveRevoke.ram 187652 C:\Users\Admin\Documents\CompareSend.xlsb 511236 C:\Users\Admin\Documents\CompleteSet.csv 243999 C:\Users\Admin\Desktop\RestoreResolve.wax 135284 C:\Users\Admin\Documents\DisconnectGrant.vsd 870805 C:\Users\Admin\Documents\DisconnectSave.docm 313713 C:\Users\Admin\Desktop\ShowPush.rle 170196 C:\Users\Admin\Documents\EnableInstall.html 580950 C:\Users\Admin\Documents\ExpandSubmit.rtf 534474 C:\Users\Admin\Desktop\SplitExport.wps 152740 C:\Users\Admin\Documents\ExportCheckpoint.pot 267237 C:\Users\Admin\Documents\ExportMount.pptm 336951 C:\Users\Admin\Desktop\SuspendRepair.M2T 274932 C:\Users\Admin\Documents\Files.docx 11551 C:\Users\Admin\Desktop\SyncAssert.TS 144012 C:\Users\Admin\Documents\FindGrant.dotm 546093 C:\Users\Admin\Desktop\SyncConvertTo.pot 327300 C:\Users\Admin\Desktop\SyncOpen.M2T 231292 C:\Users\Admin\Documents\FindGroup.xltx 592569 C:\Users\Admin\Desktop\UpdateSubmit.mht 266204 C:\Users\Admin\Desktop\WaitPush.wpl 205108 C:\Users\Admin\Documents\GroupResolve.xlsx 278856 C:\Users\Admin\Documents\HideMount.ppsm 464760 C:\Users\Admin\Documents\InstallDisable.pdf 476379 C:\Users\Admin\Documents\InstallSelect.ppsm 487998 C:\Users\Admin\Documents\InvokeUnblock.dot 418284 C:\Users\Admin\Documents\MountMerge.pot 406665 C:\Users\Admin\Documents\MoveExit.xla 371808 C:\Users\Admin\Documents\NewRequest.odt 302094 C:\Users\Admin\Documents\Opened.docx 11538 C:\Users\Admin\Downloads\AssertRevoke.mhtml 774144 C:\Users\Admin\Documents\OptimizeJoin.dotm 255618 C:\Users\Admin\Downloads\BackupDebug.mpeg 368640 C:\Users\Admin\Documents\OptimizePush.vssm 569331 C:\Users\Admin\Documents\OutPing.docm 429903 C:\Users\Admin\Downloads\CloseGet.jpe 681984 C:\Users\Admin\Documents\PingJoin.odt 220761 C:\Users\Admin\Downloads\CompareSwitch.emz 608256 C:\Users\Admin\Documents\PushUnlock.vsd 360189 C:\Users\Admin\Music\BackupConfirm.vsw 258940 C:\Users\Admin\Downloads\ConfirmLimit.m4a 552960 C:\Users\Admin\Music\BackupRevoke.xps 268356 C:\Users\Admin\Downloads\CopyRename.tif 442368 C:\Users\Admin\Music\CompareGet.rle 296604 C:\Users\Admin\Downloads\DisableLimit.ppsm 405504 C:\Users\Admin\Music\CompareUnprotect.m3u 466092 C:\Users\Admin\Downloads\DismountStart.vsw 294912 C:\Users\Admin\Music\CompleteExport.midi 211860 C:\Users\Admin\Downloads\EnableOut.crw 313344 C:\Users\Admin\Music\ConfirmComplete.mpg 287188 C:\Users\Admin\Music\ConvertToRedo.htm 315436 C:\Users\Admin\Downloads\EnterCheckpoint.jtx 534528 C:\Users\Admin\Music\EditBackup.001 164780 C:\Users\Admin\Music\EnableGet.rle 324852 C:\Users\Admin\Music\ExportReset.fon 193028 C:\Users\Admin\Music\GetDisconnect.DVR-MS 371932 C:\Users\Admin\Downloads\ExitInitialize.xls 847872 C:\Users\Admin\Music\GrantStart.wmv 428428 C:\Users\Admin\Downloads\FormatFind.txt 811008 C:\Users\Admin\Music\HideConvert.rle 437844 C:\Users\Admin\Music\ImportRevoke.mhtml 447260 C:\Users\Admin\Downloads\InitializeFind.vdw 737280 C:\Users\Admin\Music\InitializeConvert.mpeg 362516 C:\Users\Admin\Downloads\LimitDebug.otf 755712 C:\Users\Admin\Music\InitializeInvoke.js 221276 C:\Users\Admin\Music\InvokeCompress.mpeg 183612 C:\Users\Admin\Music\InvokeSubmit.otf 343684 C:\Users\Admin\Downloads\LimitUnregister.bmp 626688 C:\Users\Admin\Music\MeasureGroup.css 456676 C:\Users\Admin\Downloads\MountFormat.3gp 700416 C:\Users\Admin\Music\MoveSubmit.xps 409596 C:\Users\Admin\Music\PingSuspend.doc 249524 C:\Users\Admin\Downloads\MoveEdit.001 1161216 C:\Users\Admin\Music\PushShow.jtx 230692 C:\Users\Admin\Music\RedoRead.iso 174196 C:\Users\Admin\Downloads\PingUnregister.3gp 387072 C:\Users\Admin\Music\RemoveAdd.AAC 353100 C:\Users\Admin\Downloads\RegisterGet.mpe 497664 C:\Users\Admin\Music\ResizeRedo.m4v 475508 C:\Users\Admin\Downloads\RemoveResume.wmv 423936 C:\Users\Admin\Music\StepSelect.txt 334268 C:\Users\Admin\Downloads\RenameSync.xps 663552 C:\Users\Admin\Music\SubmitSplit.wma 390764 C:\Users\Admin\Downloads\RequestStop.eps 350208 C:\Users\Admin\Music\SyncCompare.M2T 277772 C:\Users\Admin\Documents\Recently.docx 11533 C:\Users\Admin\Pictures\AssertUnregister.dwg 419319 C:\Users\Admin\Documents\RemoveSwitch.mhtml 522855 C:\Users\Admin\Documents\RenameWatch.potx 395046 C:\Users\Admin\Pictures\ClearOptimize.wmf 594557 C:\Users\Admin\Pictures\ClearRead.raw 356734 C:\Users\Admin\Documents\RepairUnprotect.xls 441522 C:\Users\Admin\Documents\RestartUninstall.dotm 639045 C:\Users\Admin\Pictures\ClearRestart.wmf 814096 C:\Users\Admin\Documents\SuspendSelect.docx 290475 C:\Users\Admin\Pictures\CloseUnprotect.tiff 269115 C:\Users\Admin\Pictures\EnterUnregister.svgz 431836 C:\Users\Admin\Searches\Everywhere.search-ms 248 C:\Users\Admin\Searches\Indexed Locations.search-ms 248 C:\Users\Admin\Pictures\ExportMerge.cr2 469387 C:\Users\Admin\Searches\winrt--{S-1-5-21-3686645723-710336880-414668232-1000}-.searchconnector-ms 852 C:\Users\Admin\Pictures\GroupFormat.wmf 506938 C:\Users\Admin\Pictures\GroupPush.dib 244081 C:\Users\Admin\Music\UninstallProtect.vstx 400180 C:\Users\Admin\Music\UnregisterRemove.crw 419012 C:\Users\Admin\Pictures\HideTest.png 394285 C:\Users\Admin\Music\UseReset.dotx 381348 C:\Users\Admin\Music\WriteUnprotect.pcx 202444 C:\Users\Admin\Favorites\Bing.url 208 C:\Users\Admin\Pictures\InvokeSubmit.crw 406802 C:\Users\Admin\Downloads\ShowInvoke.mp4 829440 C:\Users\Admin\Pictures\LockStart.dib 331700 C:\Users\Admin\Pictures\MountHide.eps 306666 C:\Users\Admin\Downloads\SplitReset.docm 718848 C:\Users\Admin\Pictures\OpenOptimize.gif 519455 C:\Users\Admin\Downloads\TraceLock.clr 589824 C:\Users\Admin\Pictures\OutOptimize.wmf 281632 C:\Users\Admin\Pictures\PublishEdit.raw 344217 C:\Users\Admin\Downloads\UnregisterSave.kix 479232 C:\Users\Admin\Documents\SwitchConfirm.doc 383427 C:\Users\Admin\Downloads\UseStop.mpp 460800 C:\Users\Admin\Documents\These.docx 11462 C:\Users\Admin\Downloads\UseTrace.otf 571392 C:\Users\Admin\Documents\UninstallSkip.xlt 499617 C:\Users\Admin\Downloads\WatchConvertFrom.htm 792576 C:\Users\Admin\Documents\UnprotectAssert.xlsb 348570 C:\Users\Admin\Documents\UnprotectMerge.vsw 325332 C:\Users\Admin\Pictures\ReadEnter.pcx 369251 C:\Users\Admin\Documents\UnpublishCompress.dotm 453141 C:\Users\Admin\Pictures\ReadInstall.emz 494421 C:\Users\Admin\Documents\UnpublishSelect.rtf 557712 C:\Users\Admin\Documents\UpdateConvertTo.vsdm 232380 C:\Users\Admin\Pictures\RedoUnprotect.dib 381768 C:\Users\Admin\Pictures\ResolveDisable.raw 231564 C:\Users\Admin\Documents\WriteSwitch.vstx 615807 C:\Users\Admin\Pictures\ResolveSelect.wmf 582040 C:\Users\Admin\Pictures\SearchConnect.emz 294149 C:\Users\Admin\Pictures\SetInitialize.wmf 319183 C:\Users\Admin\Pictures\ShowGroup.jpg 557006 C:\Users\Admin\Pictures\SkipUpdate.dxf 206530 C:\Users\Admin\Pictures\TraceTest.gif 569523 C:\Users\Admin\Pictures\UnblockImport.dxf 544489 C:\Users\Admin\Pictures\UpdateGrant.tiff 531972 C:\Users\Admin\Pictures\WaitLock.dxf 481904 C:\Users\Admin\Pictures\Wallpaper.jpg 24811 C:\Users\Admin\Pictures\WatchPublish.crw 456870 C:\Users\Admin\Pictures\WriteStart.jpeg 444353 C:\Users\Admin\Pictures\WriteWait.emf 256598 C:\Users\Public\Libraries\RecordedTV.library-ms 999 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget 3 C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml 114227 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink 7 C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml 768 C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail 4
URLs

http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 16 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\locker.exe
    "C:\Users\Admin\AppData\Local\Temp\locker.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4452
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:5064
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:4068
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3840
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2648
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4116
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3976
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4184
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4300
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4304
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4340
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:492
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1180
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1532
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1796
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1524
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:2360
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\locker.exe >> NUL
      2⤵
        PID:3860
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5116

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads