hydracrypt | 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2

Analysis

max time kernel
97s
max time network
102s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-06-2022 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
Size

164KB
MD5

5f2d13576e4906501c91b8bf400e0890
SHA1

adff2761a6afe9ecaa70486c0a04746c676a133b
SHA256

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2
SHA512

29186d7c1702ab738844777a780ce982882727d8fb3ae6e1fd084bffef3ac63fcd7ca4624ee9bf047c909c303deece27f81650b1309280d6609d207e29131dfd

Score

10^/10

hydracrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_DECRYPT_HYDRA_ID_d3e7b4d.txt

Ransom Note

Attention! All Your files and documents were encrypted! Encryption was made with a special crypto-code! There NO CHANCE to decrypt it without our special software and your unique private key! To buy your software You need to contact us by EMAIL: 1) [email protected] or 2) [email protected] Your email text should contain your unique ID number and one of your encrypted file. We will decrypt one of your file for FREE! It`s your guarantee! Remember! Your time has a limit: 72 hour. If You will not send any email We will turn on a sanctions: 1) Your software`s price will be higher 2) Your unique private key will be destroyed (After that your files will stay encrypted forever) 3) Your private info, files, documents will be sold on the Dark Markets Attention: all your attempts to decrypt your PC without our software can destroy or damage your files!

Emails

[email protected]

Signatures

HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
ransomware hydracrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 26 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.hydracrypt_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Pictures\WatchSet.tiff	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\CompleteRestart.tiff.hydracrypttmp_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\CompleteRestart.tiff.hydracrypt_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\PushRemove.tiff.hydracrypttmp_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveExit.tiff	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\ResolveExit.tiff.hydracrypttmp_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockCheckpoint.tiff	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\WatchSet.tiff.hydracrypttmp_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\BackupResolve.png.hydracrypttmp_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\InstallConvertTo.raw.hydracrypttmp_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\JoinDeny.crw.hydracrypt_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\PushRemove.tiff.hydracrypt_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Pictures\StopSet.tiff	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\JoinDeny.crw.hydracrypttmp_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\MeasureStep.raw.hydracrypttmp_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\MeasureStep.raw.hydracrypt_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\StopSet.tiff.hydracrypttmp_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\StopSet.tiff.hydracrypt_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\WatchSet.tiff.hydracrypt_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\BackupResolve.png.hydracrypt_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteRestart.tiff	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\InstallConvertTo.raw.hydracrypt_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Pictures\PushRemove.tiff	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\ResolveExit.tiff.hydracrypt_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.hydracrypttmp_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Drops startup file 3 IoCs

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_d3e7b4d	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\zoxenuqi.exe\""	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe\""	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PWZ8QZ9F\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P4R98AUH\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8WU7A3BP\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VRG14UW3\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

description	ioc	process
File opened (read-only)	\??\T:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\K:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\H:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\E:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\A:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\F:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\W:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\U:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\S:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\Q:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\O:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\M:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\L:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\Z:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\Y:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\X:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\V:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\N:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\G:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\R:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\P:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\J:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\I:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\B:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

description	pid	process	target process
PID 632 set thread context of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2716 1648 WerFault.exe 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

pid	pid_target	process	target process
2716	1648	WerFault.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Interacts with shadow copies 2 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
624	vssadmin.exe
2440	vssadmin.exe
2104	vssadmin.exe
2540	vssadmin.exe
2416	vssadmin.exe
544	vssadmin.exe
2748	vssadmin.exe
564	vssadmin.exe
1584	vssadmin.exe
1548	vssadmin.exe
1488	vssadmin.exe
1880	vssadmin.exe
1896	vssadmin.exe
1480	vssadmin.exe
2356	vssadmin.exe
2848	vssadmin.exe
2872	vssadmin.exe
1972	vssadmin.exe
2208	vssadmin.exe
2464	vssadmin.exe
2636	vssadmin.exe
2260	vssadmin.exe
2384	vssadmin.exe
2684	vssadmin.exe
1884	vssadmin.exe
1436	vssadmin.exe
1256	vssadmin.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

pid process

632 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1316	WMIC.exe
Token: SeSecurityPrivilege	1316	WMIC.exe
Token: SeTakeOwnershipPrivilege	1316	WMIC.exe
Token: SeLoadDriverPrivilege	1316	WMIC.exe
Token: SeSystemProfilePrivilege	1316	WMIC.exe
Token: SeSystemtimePrivilege	1316	WMIC.exe
Token: SeProfSingleProcessPrivilege	1316	WMIC.exe
Token: SeIncBasePriorityPrivilege	1316	WMIC.exe
Token: SeCreatePagefilePrivilege	1316	WMIC.exe
Token: SeBackupPrivilege	1316	WMIC.exe
Token: SeRestorePrivilege	1316	WMIC.exe
Token: SeShutdownPrivilege	1316	WMIC.exe
Token: SeDebugPrivilege	1316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1316	WMIC.exe
Token: SeRemoteShutdownPrivilege	1316	WMIC.exe
Token: SeUndockPrivilege	1316	WMIC.exe
Token: SeManageVolumePrivilege	1316	WMIC.exe
Token: 33	1316	WMIC.exe
Token: 34	1316	WMIC.exe
Token: 35	1316	WMIC.exe
Token: SeBackupPrivilege	1400	vssvc.exe
Token: SeRestorePrivilege	1400	vssvc.exe
Token: SeAuditPrivilege	1400	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1316	WMIC.exe
Token: SeSecurityPrivilege	1316	WMIC.exe
Token: SeTakeOwnershipPrivilege	1316	WMIC.exe
Token: SeLoadDriverPrivilege	1316	WMIC.exe
Token: SeSystemProfilePrivilege	1316	WMIC.exe
Token: SeSystemtimePrivilege	1316	WMIC.exe
Token: SeProfSingleProcessPrivilege	1316	WMIC.exe
Token: SeIncBasePriorityPrivilege	1316	WMIC.exe
Token: SeCreatePagefilePrivilege	1316	WMIC.exe
Token: SeBackupPrivilege	1316	WMIC.exe
Token: SeRestorePrivilege	1316	WMIC.exe
Token: SeShutdownPrivilege	1316	WMIC.exe
Token: SeDebugPrivilege	1316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1316	WMIC.exe
Token: SeRemoteShutdownPrivilege	1316	WMIC.exe
Token: SeUndockPrivilege	1316	WMIC.exe
Token: SeManageVolumePrivilege	1316	WMIC.exe
Token: 33	1316	WMIC.exe
Token: 34	1316	WMIC.exe
Token: 35	1316	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

pid	process
632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.execmd.execmd.execmd.exenet.execmd.execmd.exe

description	pid	process	target process
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 632 wrote to memory of 1648	632	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 1648 wrote to memory of 952	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 952	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 952	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 952	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 2036	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 2036	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 2036	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 2036	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 952 wrote to memory of 1184	952	cmd.exe	net.exe
PID 952 wrote to memory of 1184	952	cmd.exe	net.exe
PID 952 wrote to memory of 1184	952	cmd.exe	net.exe
PID 952 wrote to memory of 1184	952	cmd.exe	net.exe
PID 1648 wrote to memory of 1656	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 1656	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 1656	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 1656	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 472	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 472	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 472	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 472	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 2036 wrote to memory of 564	2036	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 564	2036	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 564	2036	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 564	2036	cmd.exe	vssadmin.exe
PID 1648 wrote to memory of 796	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 796	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 796	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 796	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1656 wrote to memory of 1316	1656	cmd.exe	WMIC.exe
PID 1656 wrote to memory of 1316	1656	cmd.exe	WMIC.exe
PID 1656 wrote to memory of 1316	1656	cmd.exe	WMIC.exe
PID 1656 wrote to memory of 1316	1656	cmd.exe	WMIC.exe
PID 1184 wrote to memory of 2028	1184	net.exe	net1.exe
PID 1184 wrote to memory of 2028	1184	net.exe	net1.exe
PID 1184 wrote to memory of 2028	1184	net.exe	net1.exe
PID 1184 wrote to memory of 2028	1184	net.exe	net1.exe
PID 1648 wrote to memory of 1848	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 1848	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 1848	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 1848	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 924	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 924	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 924	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 1648 wrote to memory of 924	1648	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 472 wrote to memory of 1896	472	cmd.exe	vssadmin.exe
PID 472 wrote to memory of 1896	472	cmd.exe	vssadmin.exe
PID 472 wrote to memory of 1896	472	cmd.exe	vssadmin.exe
PID 472 wrote to memory of 1896	472	cmd.exe	vssadmin.exe
PID 1848 wrote to memory of 1884	1848	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
"C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
  C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
  2⤵
  - Modifies extensions of user files
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop vss
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        
        PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All
      4⤵
      Interacts with shadow copies
      PID:564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Z: /All
      4⤵
      Interacts with shadow copies
      PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
    3⤵
    PID:796
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Y: /All
      4⤵
      Interacts with shadow copies
      PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=X: /All
      4⤵
      Interacts with shadow copies
      PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
    3⤵
    PID:924
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=W: /All
      4⤵
      Interacts with shadow copies
      PID:624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
    3⤵
    PID:1888
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=V: /All
      4⤵
      Interacts with shadow copies
      PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
    3⤵
    PID:1676
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=U: /All
      4⤵
      Interacts with shadow copies
      PID:544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
    3⤵
    PID:1464
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=T: /All
      4⤵
      Interacts with shadow copies
      PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=S: /All
      4⤵
      Interacts with shadow copies
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
    3⤵
    PID:1460
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=R: /All
      4⤵
      Interacts with shadow copies
      PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
    3⤵
    PID:1456
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Q: /All
      4⤵
      Interacts with shadow copies
      PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
    3⤵
    PID:1960
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=P: /All
      4⤵
      Interacts with shadow copies
      PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
    3⤵
    PID:1104
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=O: /All
      4⤵
      Interacts with shadow copies
      PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
    3⤵
    PID:1072
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=N: /All
      4⤵
      Interacts with shadow copies
      PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
    3⤵
    PID:1500
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=M: /All
      4⤵
      Interacts with shadow copies
      PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
    3⤵
    PID:2080
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=L: /All
      4⤵
      Interacts with shadow copies
      PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
    3⤵
    PID:2124
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=K: /All
      4⤵
      Interacts with shadow copies
      PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
    3⤵
    PID:2152
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=J: /All
      4⤵
      Interacts with shadow copies
      PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=H: /All
      4⤵
      Interacts with shadow copies
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=I: /All
      4⤵
      Interacts with shadow copies
      PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
    3⤵
    PID:2332
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=G: /All
      4⤵
      Interacts with shadow copies
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
    3⤵
    PID:2400
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=F: /All
      4⤵
      Interacts with shadow copies
      PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
    3⤵
    PID:2484
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=E: /All
      4⤵
      Interacts with shadow copies
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
    3⤵
    PID:2520
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=D: /All
      4⤵
      Interacts with shadow copies
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
    3⤵
    PID:2592
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=C: /All
      4⤵
      Interacts with shadow copies
      PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
    3⤵
    PID:2724
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=B: /All
      4⤵
      Interacts with shadow copies
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
    3⤵
    PID:2772
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=A: /All
      4⤵
      Interacts with shadow copies
      PID:2872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 8008
    3⤵
    - Program crash
    PID:2716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/472-77-0x0000000000000000-mapping.dmp

Download
memory/544-93-0x0000000000000000-mapping.dmp

Download
memory/564-78-0x0000000000000000-mapping.dmp

Download
memory/624-89-0x0000000000000000-mapping.dmp

Download
memory/632-58-0x00000000003E0000-0x00000000003E5000-memory.dmp

Filesize
20KB

Download
memory/632-54-0x0000000075391000-0x0000000075393000-memory.dmp

Filesize
8KB

Download
memory/796-79-0x0000000000000000-mapping.dmp

Download
memory/924-83-0x0000000000000000-mapping.dmp

Download
memory/952-73-0x0000000000000000-mapping.dmp

Download
memory/1072-102-0x0000000000000000-mapping.dmp

Download
memory/1104-99-0x0000000000000000-mapping.dmp

Download
memory/1184-75-0x0000000000000000-mapping.dmp

Download
memory/1256-101-0x0000000000000000-mapping.dmp

Download
memory/1316-80-0x0000000000000000-mapping.dmp

Download
memory/1436-103-0x0000000000000000-mapping.dmp

Download
memory/1456-96-0x0000000000000000-mapping.dmp

Download
memory/1460-94-0x0000000000000000-mapping.dmp

Download
memory/1464-90-0x0000000000000000-mapping.dmp

Download
memory/1480-97-0x0000000000000000-mapping.dmp

Download
memory/1488-106-0x0000000000000000-mapping.dmp

Download
memory/1500-105-0x0000000000000000-mapping.dmp

Download
memory/1548-95-0x0000000000000000-mapping.dmp

Download
memory/1584-92-0x0000000000000000-mapping.dmp

Download
memory/1648-66-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1648-63-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1648-70-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1648-133-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1648-55-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1648-56-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1648-100-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1648-69-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1648-68-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1648-57-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1648-71-0x0000000000401043-mapping.dmp

Download
memory/1648-60-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1648-62-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1648-64-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1656-76-0x0000000000000000-mapping.dmp

Download
memory/1676-88-0x0000000000000000-mapping.dmp

Download
memory/1848-82-0x0000000000000000-mapping.dmp

Download
memory/1880-86-0x0000000000000000-mapping.dmp

Download
memory/1884-85-0x0000000000000000-mapping.dmp

Download
memory/1888-87-0x0000000000000000-mapping.dmp

Download
memory/1896-84-0x0000000000000000-mapping.dmp

Download
memory/1960-98-0x0000000000000000-mapping.dmp

Download
memory/1972-104-0x0000000000000000-mapping.dmp

Download
memory/2020-91-0x0000000000000000-mapping.dmp

Download
memory/2028-81-0x0000000000000000-mapping.dmp

Download
memory/2036-74-0x0000000000000000-mapping.dmp

Download
memory/2080-107-0x0000000000000000-mapping.dmp

Download
memory/2104-108-0x0000000000000000-mapping.dmp

Download
memory/2124-109-0x0000000000000000-mapping.dmp

Download
memory/2152-110-0x0000000000000000-mapping.dmp

Download
memory/2208-111-0x0000000000000000-mapping.dmp

Download
memory/2220-112-0x0000000000000000-mapping.dmp

Download
memory/2260-113-0x0000000000000000-mapping.dmp

Download
memory/2280-114-0x0000000000000000-mapping.dmp

Download
memory/2332-115-0x0000000000000000-mapping.dmp

Download
memory/2356-116-0x0000000000000000-mapping.dmp

Download
memory/2384-117-0x0000000000000000-mapping.dmp

Download
memory/2400-118-0x0000000000000000-mapping.dmp

Download
memory/2416-119-0x0000000000000000-mapping.dmp

Download
memory/2440-120-0x0000000000000000-mapping.dmp

Download
memory/2464-121-0x0000000000000000-mapping.dmp

Download
memory/2484-122-0x0000000000000000-mapping.dmp

Download
memory/2520-123-0x0000000000000000-mapping.dmp

Download
memory/2540-124-0x0000000000000000-mapping.dmp

Download
memory/2592-125-0x0000000000000000-mapping.dmp

Download
memory/2636-126-0x0000000000000000-mapping.dmp

Download
memory/2684-127-0x0000000000000000-mapping.dmp

Download
memory/2716-134-0x0000000000000000-mapping.dmp

Download
memory/2724-128-0x0000000000000000-mapping.dmp

Download
memory/2748-129-0x0000000000000000-mapping.dmp

Download
memory/2772-130-0x0000000000000000-mapping.dmp

Download
memory/2848-131-0x0000000000000000-mapping.dmp

Download
memory/2872-132-0x0000000000000000-mapping.dmp

Download