44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d

Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Analysis

max time kernel
125s
max time network
176s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
Size

4.8MB
MD5

5a3c5576c359ce4f40b3274209db2e76
SHA1

8d38f1c0953013d623bea6d6f6f47d5a0c7027f9
SHA256

5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7
SHA512

a9780e15702531d22a7088bb1de49c083499244819732f07c7a1c22bea00aa3592231766adae42ea8f980896a659a46a51a58e4e366a35e327f9d788ff88e5eb
SSDEEP

49152:Dc2Ee3ScTnrb/T5vO90dL3BmAFd4A64nsfJG0CJZGSUeU/o/ZsPfNW7Ew5EzUgr0:73l8ZSUOyaEUVHB72INLu6SZJZ

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR HGJZITLXE FILES.TXT

Ransom Note

THE ENTIRE NETWORK IS ENCRYPTED YOUR BUSINESS IS LOSING MONEY! Dear Management! We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 100GB of your data Personal data Marketing data Confidentional documents Accounting SQL Databases Copy of some mailboxes Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. Write to us directly, without resorting to intermediaries, they will deceive you. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact us: [email protected] or [email protected] Additional ways to communicate in tox chat tox id: 83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops file in Program Files directory 64 IoCs

Processes:

5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\af.txt	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\is.txt.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\HOW TO RESTORE YOUR HGJZITLXE FILES.TXT	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\tr.txt.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Louisville.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\HOW TO RESTORE YOUR HGJZITLXE FILES.TXT	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File created	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\HOW TO RESTORE YOUR HGJZITLXE FILES.TXT	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\yo.txt	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\HOW TO RESTORE YOUR HGJZITLXE FILES.TXT	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak.hgjzitlxe	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2848 sc.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1304 timeout.exe
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1364 vssadmin.exe
1500 vssadmin.exe
580 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe

pid process

2096 5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2428 vssvc.exe
Token: SeRestorePrivilege 2428 vssvc.exe
Token: SeAuditPrivilege 2428 vssvc.exe

pid	process
2848	sc.exe

pid	process
1304	timeout.exe

pid	process
1364	vssadmin.exe
1500	vssadmin.exe
580	vssadmin.exe

pid	process
2096	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe

description	pid	process
Token: SeBackupPrivilege	2428	vssvc.exe
Token: SeRestorePrivilege	2428	vssvc.exe
Token: SeAuditPrivilege	2428	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.execmd.exe

description	pid	process	target process
PID 1864 wrote to memory of 1832	1864	taskeng.exe	cmd.exe
PID 1864 wrote to memory of 1832	1864	taskeng.exe	cmd.exe
PID 1864 wrote to memory of 1832	1864	taskeng.exe	cmd.exe
PID 1832 wrote to memory of 2848	1832	cmd.exe	sc.exe
PID 1832 wrote to memory of 2848	1832	cmd.exe	sc.exe
PID 1832 wrote to memory of 2848	1832	cmd.exe	sc.exe
PID 1832 wrote to memory of 1304	1832	cmd.exe	timeout.exe
PID 1832 wrote to memory of 1304	1832	cmd.exe	timeout.exe
PID 1832 wrote to memory of 1304	1832	cmd.exe	timeout.exe
PID 1832 wrote to memory of 580	1832	cmd.exe	vssadmin.exe
PID 1832 wrote to memory of 580	1832	cmd.exe	vssadmin.exe
PID 1832 wrote to memory of 580	1832	cmd.exe	vssadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
"C:\Users\Admin\AppData\Local\Temp\5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2096

C:\Windows\system32\taskeng.exe
taskeng.exe {052E2DE7-0F00-4255-AD55-63BD67F52C0B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1608

C:\Windows\system32\taskeng.exe
taskeng.exe {8FC8DACE-4802-49F7-A121-2971C3E0C523} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "c:\windows\temp\b.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\system32\sc.exe
    sc start vss
    3⤵
    - Launches sc.exe
    PID:2848
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:1304
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:580
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1364
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR HGJZITLXE FILES.TXT

Filesize
1KB

MD5
b0cfb42691ffe6a59d3b8143f9bfb7d5

SHA1
c5e4b7d8a892cdadbe8ffd4e1ba73b2f13e340f8

SHA256
f01f4211f4e14aa3cac54f331b4a56463651490d6c1c353b9d90f3250d193d82

SHA512
7a0574d7859cdfc022e00a829a8eb7ded4d8b0908f370924bb6bb2a0f8b1fd6416ad02920687f62c82692d303891e8d07cb74e645aecbcb9f91fd06ab661031c

Download Submit
\??\c:\windows\temp\b.bat

Filesize
11KB

MD5
9ef680eda0e357dfcdfe9a7ddcd33514

SHA1
33a5a77eb9bb3be27b37fb8645fbe946b3f5f4ed

SHA256
dc98394f1189fd8ae45eec6e7302993b0cc2da4ab8855503ca6d76ed59b17692

SHA512
e3b3e595d760c13d5509ca8e621dc8bec36d705199effcc60b1c854d0f6ce17bc1eab26ea5704dba1d34a4e35c401cf22917deb088fce1e32403878ebc690293

Download Submit