Analysis
-
max time kernel
190s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-06-2022 19:33
Static task
static1
Behavioral task
behavioral1
Sample
0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe
-
Size
604KB
-
MD5
5836ef38d2aa4152f5787e506951048c
-
SHA1
72e36c98291f7dad95fa2a77f0d843e6b931f0dd
-
SHA256
0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256
-
SHA512
4540097f7cead8f61bc71aed09564fb15da6e6b52dfe97a7e47431790241c5f13be5c6e7120326162fb54ed06b0a2618896cd91809595b04c519381121df71a2
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt
Ransom Note
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://jj4dhbg4d86sdgrsdfzcadc.ziraimshi.com/79DEB3EF5598668
2. http://uu5dbnmsedf4s3jdnfbh34fsdf.parsesun.at/79DEB3EF5598668
3. http://perc54hg47fhnkjnfvcdgvdc.clinkjuno.com/79DEB3EF5598668
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser and wait for initialization
3. Type in the address bar: fwgrhsao3aoml7ej.onion/79DEB3EF5598668
4. Follow the instructions on the site.
!!! IMPORTANT INFORMATION:
!!! Your personal pages:
http://jj4dhbg4d86sdgrsdfzcadc.ziraimshi.com/79DEB3EF5598668
http://uu5dbnmsedf4s3jdnfbh34fsdf.parsesun.at/79DEB3EF5598668
http://perc54hg47fhnkjnfvcdgvdc.clinkjuno.com/79DEB3EF5598668
!!! Your personal page Tor-Browser: fwgrhsao3aoml7ej.onion/79DEB3EF5598668
!!! Your personal identification ID: 79DEB3EF5598668
URLs
http://jj4dhbg4d86sdgrsdfzcadc.ziraimshi.com/79DEB3EF5598668
http://uu5dbnmsedf4s3jdnfbh34fsdf.parsesun.at/79DEB3EF5598668
http://perc54hg47fhnkjnfvcdgvdc.clinkjuno.com/79DEB3EF5598668
http://fwgrhsao3aoml7ej.onion/79DEB3EF5598668
Signatures
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
pid Process 3748 bcdedit.exe 2792 bcdedit.exe 768 bcdedit.exe 3772 bcdedit.exe 3916 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run wbxlfxm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\addon_v57 = "C:\\Users\\Admin\\AppData\\Roaming\\wbxlfxm.exe" wbxlfxm.exe -
Executes dropped EXE 2 IoCs
pid Process 2416 wbxlfxm.exe 544 wbxlfxm.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wbxlfxm.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 600 set thread context of 4092 600 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 77 PID 2416 set thread context of 544 2416 wbxlfxm.exe 81 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\uz.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.png wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\DESIGNER\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.html wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.html wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.png wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.png wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.html wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.html wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.png wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.html wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.html wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\License.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.png wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.png wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.html wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\readme.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.png wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt wbxlfxm.exe File opened for modification C:\Program Files\7-Zip\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.html wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.png wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.txt wbxlfxm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\_H_e_l_p_RECOVER_INSTRUCTIONS+bfq.html wbxlfxm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1460 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe 544 wbxlfxm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4092 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe Token: SeDebugPrivilege 544 wbxlfxm.exe Token: SeBackupPrivilege 1088 vssvc.exe Token: SeRestorePrivilege 1088 vssvc.exe Token: SeAuditPrivilege 1088 vssvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 600 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 2416 wbxlfxm.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 600 wrote to memory of 4092 600 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 77 PID 600 wrote to memory of 4092 600 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 77 PID 600 wrote to memory of 4092 600 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 77 PID 600 wrote to memory of 4092 600 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 77 PID 600 wrote to memory of 4092 600 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 77 PID 600 wrote to memory of 4092 600 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 77 PID 600 wrote to memory of 4092 600 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 77 PID 600 wrote to memory of 4092 600 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 77 PID 600 wrote to memory of 4092 600 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 77 PID 600 wrote to memory of 4092 600 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 77 PID 4092 wrote to memory of 2416 4092 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 78 PID 4092 wrote to memory of 2416 4092 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 78 PID 4092 wrote to memory of 2416 4092 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 78 PID 4092 wrote to memory of 2988 4092 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 79 PID 4092 wrote to memory of 2988 4092 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 79 PID 4092 wrote to memory of 2988 4092 0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe 79 PID 2416 wrote to memory of 544 2416 wbxlfxm.exe 81 PID 2416 wrote to memory of 544 2416 wbxlfxm.exe 81 PID 2416 wrote to memory of 544 2416 wbxlfxm.exe 81 PID 2416 wrote to memory of 544 2416 wbxlfxm.exe 81 PID 2416 wrote to memory of 544 2416 wbxlfxm.exe 81 PID 2416 wrote to memory of 544 2416 wbxlfxm.exe 81 PID 2416 wrote to memory of 544 2416 wbxlfxm.exe 81 PID 2416 wrote to memory of 544 2416 wbxlfxm.exe 81 PID 2416 wrote to memory of 544 2416 wbxlfxm.exe 81 PID 2416 wrote to memory of 544 2416 wbxlfxm.exe 81 PID 544 wrote to memory of 3748 544 wbxlfxm.exe 82 PID 544 wrote to memory of 3748 544 wbxlfxm.exe 82 PID 544 wrote to memory of 1460 544 wbxlfxm.exe 84 PID 544 wrote to memory of 1460 544 wbxlfxm.exe 84 PID 544 wrote to memory of 2792 544 wbxlfxm.exe 90 PID 544 wrote to memory of 2792 544 wbxlfxm.exe 90 PID 544 wrote to memory of 768 544 wbxlfxm.exe 92 PID 544 wrote to memory of 768 544 wbxlfxm.exe 92 PID 544 wrote to memory of 3772 544 wbxlfxm.exe 94 PID 544 wrote to memory of 3772 544 wbxlfxm.exe 94 PID 544 wrote to memory of 3916 544 wbxlfxm.exe 97 PID 544 wrote to memory of 3916 544 wbxlfxm.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe"C:\Users\Admin\AppData\Local\Temp\0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Local\Temp\0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe"C:\Users\Admin\AppData\Local\Temp\0e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Roaming\wbxlfxm.exeC:\Users\Admin\AppData\Roaming\wbxlfxm.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Roaming\wbxlfxm.exeC:\Users\Admin\AppData\Roaming\wbxlfxm.exe4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} bootems off5⤵
- Modifies boot configuration data using bcdedit
PID:3748
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
PID:1460
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} advancedoptions off5⤵
- Modifies boot configuration data using bcdedit
PID:2792
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} optionsedit off5⤵
- Modifies boot configuration data using bcdedit
PID:768
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures5⤵
- Modifies boot configuration data using bcdedit
PID:3772
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} recoveryenabled off5⤵
- Modifies boot configuration data using bcdedit
PID:3916
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\0E3EEE~1.EXE3⤵PID:2988
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
604KB
MD55836ef38d2aa4152f5787e506951048c
SHA172e36c98291f7dad95fa2a77f0d843e6b931f0dd
SHA2560e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256
SHA5124540097f7cead8f61bc71aed09564fb15da6e6b52dfe97a7e47431790241c5f13be5c6e7120326162fb54ed06b0a2618896cd91809595b04c519381121df71a2
-
Filesize
604KB
MD55836ef38d2aa4152f5787e506951048c
SHA172e36c98291f7dad95fa2a77f0d843e6b931f0dd
SHA2560e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256
SHA5124540097f7cead8f61bc71aed09564fb15da6e6b52dfe97a7e47431790241c5f13be5c6e7120326162fb54ed06b0a2618896cd91809595b04c519381121df71a2
-
Filesize
604KB
MD55836ef38d2aa4152f5787e506951048c
SHA172e36c98291f7dad95fa2a77f0d843e6b931f0dd
SHA2560e3eeeff8a9838a73de58d935e38417fca0b4948849343fc2a94251c4e4e4256
SHA5124540097f7cead8f61bc71aed09564fb15da6e6b52dfe97a7e47431790241c5f13be5c6e7120326162fb54ed06b0a2618896cd91809595b04c519381121df71a2