Analysis
-
max time kernel
146s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 06:34
Behavioral task
behavioral1
Sample
0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
Resource
win11-20240419-en
windows11-21h2-x64
26 signatures
150 seconds
General
-
Target
0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe
-
Size
2.5MB
-
MD5
e63e41e15e86489a98dbeb2e6cb44e8a
-
SHA1
5815d349a375f5cdf090ababcff86b3946ed6c07
-
SHA256
0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da
-
SHA512
749d9580ac631916fbc1db207f0f48ed2ff9979f0cd8e352633cd86edfe7bd5bbb6da90b014e0b8ad639f8b9e567498f07353ef907ce2bd6dfa5536d3079991e
-
SSDEEP
49152:p+9pcEvA81ugLUKnGkFfHTvdlhylPdVkdL6rMD0uVVePR2EW:ktLUm3FfzvojKdLCAoPR2V
Malware Config
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 8 IoCs
resource yara_rule behavioral1/memory/716-3-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp family_medusalocker behavioral1/memory/716-4-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp family_medusalocker behavioral1/memory/716-7-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp family_medusalocker behavioral1/memory/716-6-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp family_medusalocker behavioral1/memory/716-5-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp family_medusalocker behavioral1/memory/716-8-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp family_medusalocker behavioral1/memory/716-693-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp family_medusalocker behavioral1/memory/716-1576-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp family_medusalocker -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4148 bcdedit.exe 5112 bcdedit.exe -
Renames multiple (618) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1960 wbadmin.exe 4028 wbadmin.exe -
Drops file in Drivers directory 12 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\networks.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\drivers\etc\protocol 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\drivers\etc\services 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\drivers\etc\hosts 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\drivers\etc\networks 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\drivers\etc\services.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\drivers\etc\services.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/716-0-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp themida behavioral1/memory/716-3-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp themida behavioral1/memory/716-4-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp themida behavioral1/memory/716-2-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp themida behavioral1/memory/716-7-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp themida behavioral1/memory/716-6-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp themida behavioral1/memory/716-5-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp themida behavioral1/memory/716-8-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp themida behavioral1/memory/716-693-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp themida behavioral1/memory/716-1576-0x00007FF7EEBA0000-0x00007FF7EF3E1000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe\" e" 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Enumerates connected drives 3 TTPs 39 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\H: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\Q: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\Z: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\A: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\O: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\T: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\M: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\P: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\E: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\S: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\W: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\F: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\B: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\I: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\J: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\K: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\L: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\R: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\U: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\V: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\Y: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\D: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\N: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened (read-only) \??\X: 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File created C:\Windows\system32\CatRoot2\edbtmp.log svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File created C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb svchost.exe File opened for modification C:\Windows\System32\config\ELAM.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\65672a30-5161-4ee2-a883-fe13c9d7574b.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\BBI 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File created C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb svchost.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File created C:\Windows\system32\CatRoot2\edb.chk svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\BCD-Template.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\COMPONENTS.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\ELAM 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\2c7f5940-33e1-472c-92a2-972656209776.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\DRIVERS 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\cd2e2e9a-8925-4e6f-be07-91b924de7188.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\65672a30-5161-4ee2-a883-fe13c9d7574b 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\DEFAULT 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\2c7f5940-33e1-472c-92a2-972656209776 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Report policies 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\COMPONENTS.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\system32\CatRoot2\edb.jcp svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\system32\CatRoot2\edb.chk svchost.exe File opened for modification C:\Windows\system32\CatRoot2\edb.log svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\config\DRIVERS.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\cd2e2e9a-8925-4e6f-be07-91b924de7188.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File created C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm svchost.exe File opened for modification C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.jfm svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File created C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.jfm svchost.exe File opened for modification C:\Windows\System32\ResPriHMImageListLowCost 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\BCD-Template.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\ELAM.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Drops file in Program Files directory 52 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Mozilla Firefox\postSigningData 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180381}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{F6080405-9FA8-4CAA-9982-14E95D1A3DAC} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Boot\PCAT\bootmgr 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180381}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{9BE518E6-ECC6-35A9-88E4-87755C07200F} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\ffb218cb78a2ca5b027e463f2a6bbb9c7036730212098e4fb7c330c70dcdfda4 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\ffb218cb78a2ca5b027e463f2a6bbb9c7036730212098e4fb7c330c70dcdfda4.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Panther\setupinfo.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180381} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}.inprocess 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}.ReadInstructions 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4624 vssadmin.exe 4620 vssadmin.exe 2004 vssadmin.exe 3824 vssadmin.exe 2612 vssadmin.exe 4140 vssadmin.exe 3056 vssadmin.exe 3728 vssadmin.exe 3964 vssadmin.exe 3048 vssadmin.exe 400 vssadmin.exe 3748 vssadmin.exe 3180 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeBackupPrivilege 1368 vssvc.exe Token: SeRestorePrivilege 1368 vssvc.exe Token: SeAuditPrivilege 1368 vssvc.exe Token: SeIncreaseQuotaPrivilege 4492 wmic.exe Token: SeSecurityPrivilege 4492 wmic.exe Token: SeTakeOwnershipPrivilege 4492 wmic.exe Token: SeLoadDriverPrivilege 4492 wmic.exe Token: SeSystemProfilePrivilege 4492 wmic.exe Token: SeSystemtimePrivilege 4492 wmic.exe Token: SeProfSingleProcessPrivilege 4492 wmic.exe Token: SeIncBasePriorityPrivilege 4492 wmic.exe Token: SeCreatePagefilePrivilege 4492 wmic.exe Token: SeBackupPrivilege 4492 wmic.exe Token: SeRestorePrivilege 4492 wmic.exe Token: SeShutdownPrivilege 4492 wmic.exe Token: SeDebugPrivilege 4492 wmic.exe Token: SeSystemEnvironmentPrivilege 4492 wmic.exe Token: SeRemoteShutdownPrivilege 4492 wmic.exe Token: SeUndockPrivilege 4492 wmic.exe Token: SeManageVolumePrivilege 4492 wmic.exe Token: 33 4492 wmic.exe Token: 34 4492 wmic.exe Token: 35 4492 wmic.exe Token: 36 4492 wmic.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 716 wrote to memory of 2004 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 84 PID 716 wrote to memory of 2004 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 84 PID 716 wrote to memory of 4140 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 88 PID 716 wrote to memory of 4140 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 88 PID 716 wrote to memory of 400 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 90 PID 716 wrote to memory of 400 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 90 PID 716 wrote to memory of 3748 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 92 PID 716 wrote to memory of 3748 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 92 PID 716 wrote to memory of 3824 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 94 PID 716 wrote to memory of 3824 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 94 PID 716 wrote to memory of 2612 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 96 PID 716 wrote to memory of 2612 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 96 PID 716 wrote to memory of 3180 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 98 PID 716 wrote to memory of 3180 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 98 PID 716 wrote to memory of 3056 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 101 PID 716 wrote to memory of 3056 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 101 PID 716 wrote to memory of 4624 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 103 PID 716 wrote to memory of 4624 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 103 PID 716 wrote to memory of 4620 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 106 PID 716 wrote to memory of 4620 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 106 PID 716 wrote to memory of 3964 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 108 PID 716 wrote to memory of 3964 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 108 PID 716 wrote to memory of 3728 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 110 PID 716 wrote to memory of 3728 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 110 PID 716 wrote to memory of 3048 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 112 PID 716 wrote to memory of 3048 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 112 PID 716 wrote to memory of 4148 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 115 PID 716 wrote to memory of 4148 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 115 PID 716 wrote to memory of 5112 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 117 PID 716 wrote to memory of 5112 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 117 PID 716 wrote to memory of 1960 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 119 PID 716 wrote to memory of 1960 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 119 PID 716 wrote to memory of 4028 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 121 PID 716 wrote to memory of 4028 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 121 PID 716 wrote to memory of 4492 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 123 PID 716 wrote to memory of 4492 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 123 PID 716 wrote to memory of 4604 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 131 PID 716 wrote to memory of 4604 716 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe 131 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe"C:\Users\Admin\AppData\Local\Temp\0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:716 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:2004
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:4140
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:400
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3748
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3824
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2612
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3180
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3056
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4624
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4620
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3964
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3728
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:3048
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:4148
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:5112
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1960
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:4028
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0DD34E~1.EXE >> NUL2⤵PID:4604
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:1116
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
3File Deletion
3Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.ReadInstructions
Filesize814B
MD50e485735271fe8f7d671786f8173a3fc
SHA12e3f6ab9758f30f115945a6f1b665bd2540e579a
SHA2566af6f3ff19c3d3e980ad692fc18ea288d8c0c8c842a580313e3c133787af9869
SHA512200fb6fc1e0ded2e52d7ce80721e327ed16ea6ac7efe883f3fbf7ae5002b6f5ac7884c18fba897007bf60024d074c6b70907b0d75f332254a3b66c2a8dcf4c81
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.ReadInstructions
Filesize842B
MD57c45c8cda62383efd53a8c6a5df44249
SHA12870a6ab149bb875f06624b84f4dfbeb927919cf
SHA2560c6e3c5e2e50109866ed0577e2a4fe385b9c02489d2a9114aeb2ade5cab6b5c2
SHA51209ddd026e355da4c724aa64e37aa5d4dbc0b4d4d41b45ecc84bbd947f6a0313d64903f6e0e4035a9b1bef9377c3267711da727187623d761ed2a02213a622f6f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F.ReadInstructions
Filesize700B
MD5a4f129d6d555dc8e1255e059e197b3f4
SHA197dd1a242cf235818fb8046df7ec3813c9007551
SHA256d16181ae005e8c6c958df63fef8c06c85ea4c37d6bd1ea47e46f4615c87e7c95
SHA5121a03010436fa98d9ae643847390c9ba0f9074af51801b64c13c17fdd0aa8988b67d7104f3bdee14577089c041192525c68558c3f3df40a1c2f37a6e7e75d2258
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.ReadInstructions
Filesize770B
MD57105b279032119e3be20f4ca3b37c2ec
SHA16896627fcc813e4fdb4b819d4735b36398a766f6
SHA2569c25cfe5af8556ef4fd6ca696507896cd2f31eeea6fb8a9bc6feddd84720708d
SHA512d4c17bf9ff9d9cec9eda833ff8bb020c81499dcae93cf36910b2f2849ccf4741e6ed0ce5cb940ed2e50ba27798e2545ef9164fc7068ddbdfc5a215e34cf23c16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.ReadInstructions
Filesize842B
MD52c5a0a39a49601f70c30ff67b7c2e187
SHA161d68a719a93b6713d80fa30f0734ad1c446b3ed
SHA256593164629be571503a82c0d97a945651d2be5ad3329b48fc60dbd83bfb8c8a42
SHA5126efd34137223ba07153e7266a72d2650c705a2581fd7db69d82a5f92a7b68d28d72728c70fefa3d1068b2ed998f2eebf838ac651fc381e9d229d81a49ed46da2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E.ReadInstructions
Filesize782B
MD52dc1884465ad83e45ad78b22c5bd2aab
SHA130024b7e75ca5293343feffe89e96bf2a876c616
SHA256485662eee0655b40632a4269f6e54fa0217ec4b034c79888a2e2232d70cc0c17
SHA512f7cc40ce5b958d54a9d7e74af897185bea4a3387bf2b0781e4327f29a997752182f5fa1c15b8d916a040cbdcc837dec979c4ad9c625f6c03dc88a9321c003f46
-
Filesize
22KB
MD566e443a84a690c9f74523543de25e55c
SHA1c8816b701429dede131a482c400c7c947ea96aae
SHA256d63284321aa2a9597412743d03c1cdb35e88c01a15cde5f5b64e6715120f4eac
SHA512fcd033ade951b1b7fd3b406108d7a29f22eb7cfbe1877a268ed05c0dda3fb6a1c52cc601c0f9a39dc82107f27285f6f3617574cc36e0d138b3a8b8ba341f0589
-
Filesize
2.0MB
MD550c6fcd5932e09901c15e9245407b49a
SHA1825397fe99871f3ebffb9488f63a074fd0443bb6
SHA2561669a5a15fd17d5b14d2935828a069e394f0577e93e28161450f72db654233ca
SHA512b181e7f956e4799769687aa2b0aaf2b78be4475571d5c95807d029455a52f771784314a9c8311bdb6c6605d7a0c13795b4c80d50b4032d9cec896186255096d0
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize290B
MD5aaca93b53104d66b6049f6b14d70a91e
SHA1b3e771c12f821a24605f2af14dbecd6d6ce4b58b
SHA2567bb9267382d7034cdbcdd6bfdd690bd3249511754a6e89dc07e31d78a640e71a
SHA512122de909d2deb94d976141b1a50f75aa6450dc395b1ac6460542ab19b2efd03d2c4c8a1e06630a6f12a7959d82e88ca0304d552a802728a320110374330f18e2
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.ReadInstructions
Filesize814B
MD54fbf9ffa915f43a8c710286bac6a0c10
SHA1a90043d07490ca276f9156006ea981470677c69b
SHA25630ba91769872bf7446a6a57819235a3cbdb9b521ce3af8b4e963eb94136cc43d
SHA512b239bca574a290176577ed2803cd7cc3855138eca17718c4a9367da80a7e9c134cacc86baf528739f6c22b630c8ec62d045739433cb21f2bef270c13865075b6
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.ReadInstructions
Filesize802B
MD57d2168290aa9b2c6bd53b8c4576fc45a
SHA15f1bf6a5de742d425c30eeed9d526915d025f949
SHA2564427c635602ff6929c1e14b8b8d6869deff5338a05a675f0319e86de067431f7
SHA51284a7e3d37121b423fc68fe1dd08acf8f26d7be81fcdffe259d7f34e886d690366675fb5dc3eff439c3a88238c074ee0c1927330460afbc7116bc17f928924ef8
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.ReadInstructions
Filesize842B
MD5bd4f70ac0f70fb5c5876eac7eaa47491
SHA1ec223c46eb23db38e0aea4cfd9bd380615db2d49
SHA2564f76efd7604ebe9c4466e18e40fa38cafd611a6659b10bd26d9f4ffc141d0eae
SHA5122721d6c6382737f11455a8c7643cc68a183fbf36c628894476e8ae07236aa9f1f88086a5bcb51c2656e633e0e7fdb2bd900edc99c4f3e65e8c79452dc1f2be68