Malware Analysis Report

2024-09-11 01:15

Sample ID 240320-1xdjbsdc8z
Target AntiRecuvaDB.exe
SHA256 09cb34eeb242e0664d105e6e040ea247072297be4df66a5261eef59e5be613fa
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09cb34eeb242e0664d105e6e040ea247072297be4df66a5261eef59e5be613fa

Threat Level: Known bad

The file AntiRecuvaDB.exe was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Modifies boot configuration data using bcdedit

Renames multiple (80) files with added filename extension

Deletes shadow copies

Deletes backup catalog

Modifies Windows Firewall

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-20 22:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-20 22:01

Reported

2024-03-20 22:04

Platform

win10v2004-20240226-en

Max time kernel

158s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (80) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\AntiRecuvaDB.exe C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiRecuvaDB = "C:\\Users\\Admin\\AppData\\Local\\AntiRecuvaDB.exe" C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiRecuvaDB = "C:\\Users\\Admin\\AppData\\Local\\AntiRecuvaDB.exe" C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-string-l1-1-0.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\UIAutomationTypes.resources.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.AccessControl.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-timezone-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.Pipes.AccessControl.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\UIAutomationClientSideProviders.resources.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-string-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XPath.XDocument.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Resources.Extensions.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Input.Manipulations.resources.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Design.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-math-l1-1-0.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Loader.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.CSharp.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\UIAutomationProvider.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\netstandard.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Json.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\WindowsBase.resources.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Formats.Asn1.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Principal.Windows.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Forms.resources.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\System.Xaml.resources.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Pipes.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.Win32.Primitives.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\System.Windows.Forms.resources.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Resources.Extensions.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.Win32.Registry.AccessControl.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Cryptography.Primitives.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ka.txt C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Resources.Writer.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\System.Windows.Forms.Primitives.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-rtlsupport-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Transactions.Local.dll.id[81E36399-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 972 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 972 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 972 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 4568 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4568 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1504 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1504 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1504 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1504 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4568 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4568 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1504 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1504 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1504 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1504 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1504 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1504 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe

"C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe"

C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe

"C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2256,i,9172343514068348080,519219714517961765,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Program Files\7-Zip\7-zip.dll

MD5 ff5f7a63d3b1f9176e216eb01a0387ad
SHA1 4e6d50eda26c0a8db442a1ccd6752016ddcce562
SHA256 250b7a8c7c2aff03751861c555b536d8d63c2dd0043b099655ad91bd2bada237
SHA512 9fcf2e4bb6e8ab3ed1d52154596e71fba7019d21a9489e07f1b88ccf387266e7491805da54ff033802253cbd6630737113a2f65e6cb43f7ee3c198907b357ca9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

MD5 1681ffc6e046c7af98c9e6c232a3fe0a
SHA1 d3399b7262fb56cb9ed053d68db9291c410839c4
SHA256 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA512 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 22:01

Reported

2024-03-20 22:04

Platform

win7-20240221-en

Max time kernel

165s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\AntiRecuvaDB.exe C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiRecuvaDB = "C:\\Users\\Admin\\AppData\\Local\\AntiRecuvaDB.exe" C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiRecuvaDB = "C:\\Users\\Admin\\AppData\\Local\\AntiRecuvaDB.exe" C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lij.txt C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\GetLock.dotm.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado26.tlb C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ja.txt C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msadomd.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadcor.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.id[038BCC5E-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 1724 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 1724 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 1724 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 1724 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 1724 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 1724 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 1724 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 2544 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2544 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2544 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2644 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2644 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2644 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2544 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2544 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2544 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2644 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2644 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2644 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2644 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2644 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2644 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2644 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2644 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2644 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2644 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2644 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2644 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe

"C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe"

C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe

"C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id[038BCC5E-3533].[[email protected]].gotmydatafast

MD5 581622649e507da993162bf1b63aa147
SHA1 fec0d7ce72237f16a8bdfc786a51bf961f4d2b5b
SHA256 3d009f95ab5a70ef11e70f411583705c5478cbea6bdb6dc768f0922f5c09699c
SHA512 6e6e992ce3693c03f40a78a04debdc4012b4836a8d9d98325a723a6ca443a61534c1b940129e8411996d886413514a175874f40b72d55dba38c014fdcd80d5ca