Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
700FAEE82AB...AD.exe
windows7-x64
1001D2E2B398...A9.exe
windows7-x64
100B760ABF10...23.exe
windows7-x64
100B8E9BC319...20.exe
windows7-x64
100D0E7D8626...E5.exe
windows7-x64
100E9765528C...69.exe
windows7-x64
100c9fa52ace...7a.exe
windows7-x64
715f7ea290d...8c.exe
windows7-x64
101CB8203982...26.exe
windows7-x64
101CF69170F7...5E.exe
windows7-x64
101CFEDCBA10...0E.exe
windows7-x64
71DD70E8036...25.exe
windows7-x64
101E229029B2...DA.exe
windows7-x64
101F5FEB3211...6D.exe
windows7-x64
101FD11B5CBB...ED.exe
windows7-x64
1021977fc851...61.exe
windows7-x64
1021e1bc4340...01.exe
windows7-x64
72C3542B5D9...85.exe
windows7-x64
73ac7f91e37...38.exe
windows7-x64
103c0fe521f6...16.exe
windows7-x64
1041c53e90f0...4a.exe
windows7-x64
10467c2b23b7...be.exe
windows7-x64
105b79b6a814...b0.exe
windows7-x64
10712affaa8b...1).exe
windows7-x64
18b04af13b7...21.exe
windows7-x64
10Analysis
-
max time kernel
1799s -
max time network
1565s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17/07/2024, 19:21
Behavioral task
behavioral1
Sample
00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
0B760ABF108DB9BF5EA14F96A53F6D8E1B36FCC28BC75114E923482157B89A23.exe
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
Resource
win7-20240705-en
Behavioral task
behavioral5
Sample
0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
0E9765528C4E8FDCFF83FA07A78F5E73B41B3D9295159C823FE3B1F97C113469.exe
Resource
win7-20240708-en
Behavioral task
behavioral7
Sample
0c9fa52ace8019b43c91f4859ecddfde6705141b9283fef05c6c4c37a5c1777a.exe
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
15f7ea290d832bc32ebf660690b42616264fc0be8969934c1f8d7e5a5d3cd18c.exe
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
1CB82039822CB89811F42B2C3BDBB4256D85D66E942CD69F38D3CB123596C926.exe
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
1CF69170F7419E097EB71B514C01D2A028C95D0605F8B91C90A2E28B3216775E.exe
Resource
win7-20240705-en
Behavioral task
behavioral11
Sample
1CFEDCBA10B4C90789F2C4A6A1CE2C3D4197058E574942400F571BC5D06DF70E.exe
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
Resource
win7-20240704-en
Behavioral task
behavioral13
Sample
1E229029B2D3FF00EDDE061B1AAF470EE437FA8196D97FAD2C2C6C9EDE5B44DA.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
1F5FEB3211A640804B3951DE9EA2037EFCB0D6EE1019D8853F98DAFD6132A76D.exe
Resource
win7-20240705-en
Behavioral task
behavioral15
Sample
1FD11B5CBB32F4CD5E7947F25E900BB4E59C1C5A21922F0A842EC62C20FAF2ED.exe
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
Resource
win7-20240708-en
Behavioral task
behavioral17
Sample
21e1bc4340221fbccee28d59333c20b20755e34e2f3391b90837172bd07fbf01.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
2C3542B5D9AB4EED2DD88CD74A02236A944AFD76E8717F65DCD544912229CA85.exe
Resource
win7-20240705-en
Behavioral task
behavioral19
Sample
3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
Resource
win7-20240704-en
Behavioral task
behavioral21
Sample
41c53e90f0861b068eaa512edff28a586128f808b437122399347bcb3774914a.exe
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
Resource
win7-20240708-en
Behavioral task
behavioral23
Sample
5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
712affaa8b84e8fb7d4e71feb6c1074185bc43b5a2f265fbfb248f7ed40a5489 (1).exe
Resource
win7-20240705-en
Behavioral task
behavioral25
Sample
8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Resource
win7-20240704-en
General
-
Target
21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
-
Size
235KB
-
MD5
fac89802b3db89ba74cf8891824af3d6
-
SHA1
27b57dfdc8b1b265e3755cc0068be846c4c4981e
-
SHA256
21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061
-
SHA512
2c604a00446fe4901341a4c8093443cba06fc00ee90a946749c3b66b2205339850740406edd0553ef55a33573599c7e494eb1b0552395d1cd9e54a8d4268b3e5
-
SSDEEP
3072:thrQ6J0Exp7gW31x+S/EkuIDNGqLW4t5P0tz/aMgb2JpL7Ag0FujYWkcv23nNT3I:tiHgpR31kS8kuIpW60tRPAOs3sc8
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (301) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\DECRYPTINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\!#_READ_ME_#!.inf\"" 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe -
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Cookies\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\Documents\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\Music\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Music\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Links\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\Videos\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\1.bmp" 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1056 vssadmin.exe 2348 vssadmin.exe 2616 vssadmin.exe 2672 vssadmin.exe 1728 vssadmin.exe 2092 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2772 vssvc.exe Token: SeRestorePrivilege 2772 vssvc.exe Token: SeAuditPrivilege 2772 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 3052 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 30 PID 2972 wrote to memory of 3052 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 30 PID 2972 wrote to memory of 3052 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 30 PID 2972 wrote to memory of 3052 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 30 PID 2972 wrote to memory of 2364 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 32 PID 2972 wrote to memory of 2364 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 32 PID 2972 wrote to memory of 2364 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 32 PID 2972 wrote to memory of 2364 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 32 PID 2972 wrote to memory of 2636 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 34 PID 2972 wrote to memory of 2636 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 34 PID 2972 wrote to memory of 2636 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 34 PID 2972 wrote to memory of 2636 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 34 PID 3052 wrote to memory of 1056 3052 cmd.exe 36 PID 3052 wrote to memory of 1056 3052 cmd.exe 36 PID 3052 wrote to memory of 1056 3052 cmd.exe 36 PID 3052 wrote to memory of 1056 3052 cmd.exe 36 PID 2972 wrote to memory of 2492 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 37 PID 2972 wrote to memory of 2492 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 37 PID 2972 wrote to memory of 2492 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 37 PID 2972 wrote to memory of 2492 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 37 PID 2492 wrote to memory of 2348 2492 cmd.exe 39 PID 2492 wrote to memory of 2348 2492 cmd.exe 39 PID 2492 wrote to memory of 2348 2492 cmd.exe 39 PID 2492 wrote to memory of 2348 2492 cmd.exe 39 PID 2972 wrote to memory of 2928 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 43 PID 2972 wrote to memory of 2928 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 43 PID 2972 wrote to memory of 2928 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 43 PID 2972 wrote to memory of 2928 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 43 PID 2972 wrote to memory of 2148 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 45 PID 2972 wrote to memory of 2148 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 45 PID 2972 wrote to memory of 2148 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 45 PID 2972 wrote to memory of 2148 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 45 PID 2972 wrote to memory of 2888 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 47 PID 2972 wrote to memory of 2888 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 47 PID 2972 wrote to memory of 2888 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 47 PID 2972 wrote to memory of 2888 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 47 PID 2972 wrote to memory of 1688 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 49 PID 2972 wrote to memory of 1688 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 49 PID 2972 wrote to memory of 1688 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 49 PID 2972 wrote to memory of 1688 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 49 PID 2928 wrote to memory of 2616 2928 cmd.exe 50 PID 2928 wrote to memory of 2616 2928 cmd.exe 50 PID 2928 wrote to memory of 2616 2928 cmd.exe 50 PID 2928 wrote to memory of 2616 2928 cmd.exe 50 PID 1688 wrote to memory of 2672 1688 cmd.exe 52 PID 1688 wrote to memory of 2672 1688 cmd.exe 52 PID 1688 wrote to memory of 2672 1688 cmd.exe 52 PID 1688 wrote to memory of 2672 1688 cmd.exe 52 PID 2972 wrote to memory of 2924 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 53 PID 2972 wrote to memory of 2924 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 53 PID 2972 wrote to memory of 2924 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 53 PID 2972 wrote to memory of 2924 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 53 PID 2972 wrote to memory of 2016 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 55 PID 2972 wrote to memory of 2016 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 55 PID 2972 wrote to memory of 2016 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 55 PID 2972 wrote to memory of 2016 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 55 PID 2972 wrote to memory of 2348 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 57 PID 2972 wrote to memory of 2348 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 57 PID 2972 wrote to memory of 2348 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 57 PID 2972 wrote to memory of 2348 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 57 PID 2972 wrote to memory of 1924 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 60 PID 2972 wrote to memory of 1924 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 60 PID 2972 wrote to memory of 1924 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 60 PID 2972 wrote to memory of 1924 2972 21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe 60 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe"C:\Users\Admin\AppData\Local\Temp\21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1056
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No2⤵PID:2364
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵PID:2636
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2348
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No2⤵PID:2148
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵PID:2888
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet2⤵PID:2924
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1728
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No2⤵PID:2016
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵PID:2348
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵PID:1924
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2092
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!#_READ_ME_#!.inf2⤵PID:1568
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD56341a17163bfe281a2e9fa7a985e0f5f
SHA16ddd27908cfcb3b9bf1bc2106c14f819d744bf8b
SHA2565069304e78aa759159cc407be3e3bef87c1b919182b701144cbab00d2869c493
SHA5125be574959b7d8ee28caf289b6859d8fd76af5dc65bfe2fe178946c42158444259ffc1e340c18c576faf64812ef2c6761fab7d38acb6a92326d715d3188782508
-
Filesize
14KB
MD50aab37846d84c41ac8884aeb3fe3055c
SHA1a0088d090ffa67d5a753cbd3b3018a7cf3e48c0b
SHA256e5ef960db0d6498969ee7198db1828055a0c62014036d72d1834d54446381f55
SHA512a436598c033d7f2658225c7aaca615c481648ecb8441b61a4019899e4aeff35174bd7eca42a4f5d14c3f5213ba025f7fc840a044f9faaa55e8ad78f79df3451b
-
Filesize
48KB
MD5472218eeac3a3494ff9e932b2b527382
SHA1bcf61341236e86327237dd49bfd4040c143e81dc
SHA2560601c8688fa40e02c14c07d2d59ab91208f5422d9e9bb921f3cfc6ecdbc0fefa
SHA5128713bc4ea809a379d55e71eb02b7fcd27cbc86671c1c09021a8a66e827f12375d39f4f21b5ff776e9bf56eb45abb773cda32480c99d0bbc76afc67bb91b036af
-
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi
Filesize140KB
MD55ca99cd66116b2bfac6477df9877fa24
SHA1c154ff279518c29076df222b02e5a0f47f082da3
SHA25647009664fef725d9c0ddb12cddc41b1732d88a4613c0f1d0e5120c4e813df7f8
SHA5120cd624ef243b88d834995cd738946881c641ce6d90a0a284a552939afa42bfe9245062b3278d1b60a0a9102e264d96d1f5734f6ade2e7fa03cade8a21d53993b
-
Filesize
1KB
MD5467bb9265d25f08a90ac10b7695d4756
SHA13cdac5e4c31364a98a06e5836d7d1671bb08435d
SHA2560d76a909d93875ebc4480a2af20faf21002d24eeb0f6dada2cd4b0406aa1d2aa
SHA512592a75c99e8e2962366536222840099fbc1817784aea194c1cc41ae3019b0553cec06ab37641b6d9187232183b8e44a70372431dea1fd9967c88fa57032113e6
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir2076_1697866534\1008fba4-e12e-4fb6-b030-9ef025751633.tmp
Filesize88KB
MD5d21d256110dd3ea30116298709c8e7fa
SHA1e10d1fabce19cb8cab3a3f1674936e8ecda0bcb9
SHA256c0753f2dbe04d552630f95f1601a1c1bff886552c9f42bbcd898a13221f4d78d
SHA512a1fe3f7ad7a17eeb838415de34b084783f967eec0c6d291c5f55725f7bb119f311825918a5d10937bfaf06f165359a992cecc28ff0e9d4c7e92140c6fb501da8
-
Filesize
242KB
MD5bf17a69f87c9069958e3c889859b2ca2
SHA10a0cee4280b10f1573f65d3ac3d48499ec06db11
SHA256f01a9b6a5fad150e82f4fc7156f5be16071d735faff6685b826cb0396e89876f
SHA512bfbac078236a819877f4f515f1c323eb769d1f1dabcfeb55dc737ed0f30344ee0627d0e490dfa13f4ad44ed9b0d7504668693799691e87bc44a47d5998ca9496
-
Filesize
12KB
MD5f898b5617fbf6a242acf01b9c423b73a
SHA1a45c0704575ae2e99b31fd40bc8a7afe923f3334
SHA256238a73ec4517c68c402f4e8ecc66d8cd7d4790eae9a6a5dd9e0c6e839e53feee
SHA51256d81ad4aa1fe91744e778c231899ecc877b43070f2d2da8a302b9ef703d50782575c8dc3ec0b3d8e00a8225385a4bd4a3e96d280b92e761a3bcb6d967c64253
-
Filesize
85KB
MD56122fc930c7792bd8008597511390a07
SHA141a70b0e75d5c56346cb28153ace8687229b7dff
SHA25677e6edd65a2ed08064f7bfd90b791662d236d18bd89c56e0d5d9644fb21f0603
SHA512479e00228cd6a72aca47857331039584f5f36f39c7cb47120dc9941d53cd6566bffc3fc8091e94e71be6537fab540049b1631bfbcda9ae0ebd9eab1c613c8b7d