Overview
overview
10Static
static
100.46582298...58.exe
windows7-x64
700331dd25b...3a.exe
windows7-x64
10065988f36f...a0.exe
windows7-x64
30826716413...57.exe
windows7-x64
1008cf8ed94c...a4.exe
windows7-x64
100997ba7292...3c.exe
windows7-x64
30b7996bca4...5f.exe
windows7-x64
0c3431dbb8...ui.dll
windows7-x64
50cd7440ca9...bc.exe
windows7-x64
10100b8bfff5...ir.exe
windows7-x64
3101.ex_.exe
windows7-x64
3119.executable.exe
windows7-x64
6119.unp.exe
windows7-x64
611abb44de5...47.exe
windows7-x64
1011fb52c968...22.exe
windows7-x64
10123.exe
windows7-x64
1139.exe
windows7-x64
113E418BF18...73.dll
windows7-x64
3144.exe
windows7-x64
117697e1829...44.dll
windows7-x64
319561b3379...er.exe
windows7-x64
1019ec0d0e51...C5.exe
windows7-x64
71a6bed2aff...f2.exe
windows7-x64
101f210c60f9...40.exe
windows7-x64
101f3509cc11...dd.exe
windows7-x64
1020c6d29da8...7d.exe
windows7-x64
9234e77145d...2d.exe
windows7-x64
10263fc6fc9e...32.exe
windows7-x64
92e0da054d0...23.zip
windows7-x64
9Compenso.P...__.exe
windows7-x64
9301a3f5017...5f.exe
windows7-x64
1030620.ex_.exe
windows7-x64
10Analysis
-
max time kernel
183s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 02:14
Behavioral task
behavioral1
Sample
0.4658229854220858.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
065988f36f3ab99ff40893c7ad756cfcc3baea1b8b5217f17cdd6e44160df0a0.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
082671641341d89fe49d0da717846035ba6af02edb59840148eddc3586d21557.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
0997ba7292ddbac1c7e7ade6766ed53c.exe
Resource
win7-20240708-en
Behavioral task
behavioral7
Sample
0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
0c3431dbb8cd0478250eb4357257880e_localui.dll
Resource
win7-20241023-en
Behavioral task
behavioral9
Sample
0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48.exe.vir.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
101.ex_.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
119.executable.exe
Resource
win7-20241010-en
Behavioral task
behavioral13
Sample
119.unp.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
11abb44de53807e32980a010a473514694f901841e63ab33f5e0ff8754009b47.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
11fb52c96853e12f011b7b7894e9884e56eb5522.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
123.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
139.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
13E418BF18B03AC80580DB69ADA305A2B7093DFED00692DCF91A99D2526D3A73.dll
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
144.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
17697e1829f0d18d2051a67bc2bca134_da3ded254909e9abaa46eb5bc3b10944.dll
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
19561b33793dcb865eae56575a899ce8_kovter_from_Sakura82_taskmanger.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf_TDS=4F9B33C5.exe
Resource
win7-20241010-en
Behavioral task
behavioral23
Sample
1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe
Resource
win7-20241023-en
Behavioral task
behavioral27
Sample
234e77145d329956192c389249e20520851853e2a33779be93530788201b612d.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
2e0da054d03fde4e7b2c2057cc4aa410c64b6ab8777ee6d4fd43f031a5170a23.zip
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
Compenso.Pdf______________________________________________________________.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
30620.ex_.exe
Resource
win7-20241010-en
General
-
Target
1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
-
Size
164KB
-
MD5
5f2d13576e4906501c91b8bf400e0890
-
SHA1
adff2761a6afe9ecaa70486c0a04746c676a133b
-
SHA256
1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2
-
SHA512
29186d7c1702ab738844777a780ce982882727d8fb3ae6e1fd084bffef3ac63fcd7ca4624ee9bf047c909c303deece27f81650b1309280d6609d207e29131dfd
-
SSDEEP
3072:rIynAdou+ZKzVq6yWcp35EMVGv4sbJt0vQP3rmQp:rIKRD6qnnKdvbfm
Malware Config
Signatures
-
HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
-
Hydracrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (453) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_8a9b6c 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_8a9b6c 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe\"" 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\wekiryzu.exe\"" 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\Videos\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\Documents\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\I618Z2Y3\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C1JHBK4W\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\Music\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CW1M20CU\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Links\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Music\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\691RDNCS\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\R: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\O: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\L: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\I: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\A: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\P: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\J: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\E: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\X: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\U: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\Q: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\N: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\M: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\K: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\H: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\Y: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\W: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\V: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\T: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\S: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\G: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe File opened (read-only) \??\B: 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1908 set thread context of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1528 1736 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 61 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Interacts with shadow copies 3 TTPs 27 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 636 vssadmin.exe 664 vssadmin.exe 2180 vssadmin.exe 2196 vssadmin.exe 1252 vssadmin.exe 2092 vssadmin.exe 1268 vssadmin.exe 2100 vssadmin.exe 2260 vssadmin.exe 3024 vssadmin.exe 2456 vssadmin.exe 2548 vssadmin.exe 2904 vssadmin.exe 588 vssadmin.exe 1592 vssadmin.exe 1860 vssadmin.exe 2684 vssadmin.exe 1740 vssadmin.exe 1416 vssadmin.exe 1972 vssadmin.exe 2144 vssadmin.exe 2184 vssadmin.exe 1708 vssadmin.exe 1536 vssadmin.exe 2480 vssadmin.exe 1812 vssadmin.exe 1996 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2796 WMIC.exe Token: SeSecurityPrivilege 2796 WMIC.exe Token: SeTakeOwnershipPrivilege 2796 WMIC.exe Token: SeLoadDriverPrivilege 2796 WMIC.exe Token: SeSystemProfilePrivilege 2796 WMIC.exe Token: SeSystemtimePrivilege 2796 WMIC.exe Token: SeProfSingleProcessPrivilege 2796 WMIC.exe Token: SeIncBasePriorityPrivilege 2796 WMIC.exe Token: SeCreatePagefilePrivilege 2796 WMIC.exe Token: SeBackupPrivilege 2796 WMIC.exe Token: SeRestorePrivilege 2796 WMIC.exe Token: SeShutdownPrivilege 2796 WMIC.exe Token: SeDebugPrivilege 2796 WMIC.exe Token: SeSystemEnvironmentPrivilege 2796 WMIC.exe Token: SeRemoteShutdownPrivilege 2796 WMIC.exe Token: SeUndockPrivilege 2796 WMIC.exe Token: SeManageVolumePrivilege 2796 WMIC.exe Token: 33 2796 WMIC.exe Token: 34 2796 WMIC.exe Token: 35 2796 WMIC.exe Token: SeBackupPrivilege 2920 vssvc.exe Token: SeRestorePrivilege 2920 vssvc.exe Token: SeAuditPrivilege 2920 vssvc.exe Token: SeIncreaseQuotaPrivilege 2796 WMIC.exe Token: SeSecurityPrivilege 2796 WMIC.exe Token: SeTakeOwnershipPrivilege 2796 WMIC.exe Token: SeLoadDriverPrivilege 2796 WMIC.exe Token: SeSystemProfilePrivilege 2796 WMIC.exe Token: SeSystemtimePrivilege 2796 WMIC.exe Token: SeProfSingleProcessPrivilege 2796 WMIC.exe Token: SeIncBasePriorityPrivilege 2796 WMIC.exe Token: SeCreatePagefilePrivilege 2796 WMIC.exe Token: SeBackupPrivilege 2796 WMIC.exe Token: SeRestorePrivilege 2796 WMIC.exe Token: SeShutdownPrivilege 2796 WMIC.exe Token: SeDebugPrivilege 2796 WMIC.exe Token: SeSystemEnvironmentPrivilege 2796 WMIC.exe Token: SeRemoteShutdownPrivilege 2796 WMIC.exe Token: SeUndockPrivilege 2796 WMIC.exe Token: SeManageVolumePrivilege 2796 WMIC.exe Token: 33 2796 WMIC.exe Token: 34 2796 WMIC.exe Token: 35 2796 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1908 wrote to memory of 1736 1908 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 30 PID 1736 wrote to memory of 2332 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 31 PID 1736 wrote to memory of 2332 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 31 PID 1736 wrote to memory of 2332 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 31 PID 1736 wrote to memory of 2332 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 31 PID 1736 wrote to memory of 1984 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 33 PID 1736 wrote to memory of 1984 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 33 PID 1736 wrote to memory of 1984 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 33 PID 1736 wrote to memory of 1984 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 33 PID 1736 wrote to memory of 2716 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 35 PID 1736 wrote to memory of 2716 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 35 PID 1736 wrote to memory of 2716 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 35 PID 1736 wrote to memory of 2716 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 35 PID 2332 wrote to memory of 2864 2332 cmd.exe 37 PID 2332 wrote to memory of 2864 2332 cmd.exe 37 PID 2332 wrote to memory of 2864 2332 cmd.exe 37 PID 2332 wrote to memory of 2864 2332 cmd.exe 37 PID 1984 wrote to memory of 2904 1984 cmd.exe 38 PID 1984 wrote to memory of 2904 1984 cmd.exe 38 PID 1984 wrote to memory of 2904 1984 cmd.exe 38 PID 1984 wrote to memory of 2904 1984 cmd.exe 38 PID 2864 wrote to memory of 2896 2864 net.exe 39 PID 2864 wrote to memory of 2896 2864 net.exe 39 PID 2864 wrote to memory of 2896 2864 net.exe 39 PID 2864 wrote to memory of 2896 2864 net.exe 39 PID 2716 wrote to memory of 2796 2716 cmd.exe 40 PID 2716 wrote to memory of 2796 2716 cmd.exe 40 PID 2716 wrote to memory of 2796 2716 cmd.exe 40 PID 2716 wrote to memory of 2796 2716 cmd.exe 40 PID 1736 wrote to memory of 2968 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 42 PID 1736 wrote to memory of 2968 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 42 PID 1736 wrote to memory of 2968 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 42 PID 1736 wrote to memory of 2968 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 42 PID 1736 wrote to memory of 2872 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 43 PID 1736 wrote to memory of 2872 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 43 PID 1736 wrote to memory of 2872 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 43 PID 1736 wrote to memory of 2872 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 43 PID 1736 wrote to memory of 2776 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 45 PID 1736 wrote to memory of 2776 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 45 PID 1736 wrote to memory of 2776 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 45 PID 1736 wrote to memory of 2776 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 45 PID 1736 wrote to memory of 2608 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 48 PID 1736 wrote to memory of 2608 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 48 PID 1736 wrote to memory of 2608 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 48 PID 1736 wrote to memory of 2608 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 48 PID 1736 wrote to memory of 2728 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 50 PID 1736 wrote to memory of 2728 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 50 PID 1736 wrote to memory of 2728 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 50 PID 1736 wrote to memory of 2728 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 50 PID 1736 wrote to memory of 2220 1736 1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe"C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exeC:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop vss3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\net.exenet stop vss4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vss5⤵
- System Location Discovery: System Language Discovery
PID:2896
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2904
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All3⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=Z: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1252
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All3⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=Y: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All3⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=X: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2144
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All3⤵
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=W: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:664
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All3⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=V: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:588
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All3⤵
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=U: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:636
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All3⤵
- System Location Discovery: System Language Discovery
PID:864 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=T: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1812
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All3⤵
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=S: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All3⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=R: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2456
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All3⤵
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=Q: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All3⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=P: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1416
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All3⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=O: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1996
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All3⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=N: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1740
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All3⤵
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=M: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1536
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All3⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=L: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2480
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All3⤵
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=K: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All3⤵
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=J: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1268
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All3⤵
- System Location Discovery: System Language Discovery
PID:704 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=I: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2196
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All3⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=H: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2184
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All3⤵
- System Location Discovery: System Language Discovery
PID:308 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=G: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All3⤵
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=F: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All3⤵
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=E: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All3⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=D: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All3⤵
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=C: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All3⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=B: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All3⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=A: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2684
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 84563⤵
- Program crash
PID:1528
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_8a9b6c
Filesize126KB
MD50fd75c53014a85c285402ae90d77a7a2
SHA1f60420277902e6ed1431a5d5ead192e2b8ea5e13
SHA256b21bead1ec6f4429351f13d9b410b3ee8a2570faccb6858d9e1baf0cd5d6263b
SHA512005d8f224dd6559e1f43d1073ff71a0754a9deac9694b679c496bb896b74ff4f0b54db631665ffb26358bef4c8bc9dbb31c2747eb1a22b5cc545359477abfb25
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_8a9b6c
Filesize28KB
MD5b28fbf081d549d258bc74cd71bb8101e
SHA145635b30fcbea5bc14719cb0f4931b87b4692791
SHA2566813e40df80e56122295abf13cffeb14fd401c0637cb8d66543c2090b67069e3
SHA51289ae92747be652c25c00a2c383cfaf5769ffc35eb2c0c393e7c38120b67e53c431def12f1682093ddeab295d121a198bafbfed1f87177ec91cb93831d693f457
-
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_8a9b6c
Filesize1KB
MD5b7a42c1db6b1f3778e0b6949e69e8894
SHA1b4b6156c538ca5b7387b3936241dbfdc9658fbab
SHA256d0fff1d2544e237a77b7e039b35026db5032f66129ba8158912c16cf2a84dacf
SHA5126d3f5f51a47a6461958c15f78c05f88c34d270154984cc49b6f050dc1eebb7085b17ee247cc33a972de3db5e2524a8f0783062be4f8c4750c6fe87fc5b66e536
-
C:\ProgramData\Microsoft\Windows\Caches\{C6682E6E-46FA-468A-8F76-ED3318460F44}.2.ver0x0000000000000002.db.hydracrypttmp_ID_8a9b6c
Filesize1KB
MD5c9811e1efb9c8c0de5f535b37bb0fb12
SHA1fceaca5b56ccc01f8fb66b52061b151de41079d7
SHA25650faff01f6eebe1dad3bdabf3e5f90e5acc50778044427f8404c6f244adbbdf9
SHA5123dc01488d24b6fd8b86dd9dbf591a51b907dbba63371cd33267d996645983bd134218c6a7f76445700630b277280d07da8f61f436a0b65211080a304b0e44d44
-
Filesize
67B
MD57679e57fde0171aacf752e9d269c95c4
SHA1a8927155f46608c93034419fcf1eaa5dd0448188
SHA25664ff9bfebbe189cf8962e523affb9839c32dc242f79efd7ef7f264f16ad71644
SHA512f957a8b996cad82c84b5c4fcad44bc795ede2a7c6aaf532a356851f332b796571635daea270b1fd7998a87979fc1a524507f85194bab3ff8096c66348061cd2f
-
Filesize
331B
MD5e870f9e47639e5bd9c2cf4e71563e9f2
SHA1eb7bd9ec860acbb0f15549e844e02a60c89ddd8a
SHA256363294f91ae50d7068d746352d6956f4d94459f386124f4e3ab57cba5a6a297d
SHA512bbbfa93ec6bc0d8f6db0a4e86c122aa1226829fc0ae8b489aacbf5e852fda5add64bd535c0d6ea6da4a22336a3008688f1a3575664616e743e30d1089d3b1e12
-
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051533592.html.hydracrypttmp_ID_8a9b6c
Filesize1.1MB
MD51633cfbc3a974c489204a6a7955d8a9b
SHA1513ee87cb2c4a2157a65f4ad125f58be5818eee5
SHA2562e4567b3bc593286da591a0ef04767aa72517985930195fdadbc857537602171
SHA5129a6dba53cd69c66b02f027850ac116be6cd5687d518a9d0a83a8f1f7c002efc8b65758508ae03673d3c8c2020b10d05a8b0aa197d984c2bfed84d96d07cc4587
-
Filesize
1KB
MD52193ebb854d65ab7ff1506991d36092e
SHA15bd5ff5eea4454fc1613f04c5c8a17335d204e1e
SHA256ddc2fe986400591ad2d3cdadb59c9e225244e4163149e944ac3d062793ba8c43
SHA512abeca001126516e36c341a13db00ae0f9d41fc93d1cfe68e49cf5df63a6244ce530d776525c7dd3e47c5c633d62608b390a70797d300cc55336fe1ed256e9fa9
-
Filesize
915B
MD569157cfa11064b97f07b0b9ecd4e4e08
SHA1b06a9b545661cd8204df5f1484a74066c9047853
SHA256141655bd60cdcba778087f47cb4a10740272689d7bcf5409e0d3fb43881e5704
SHA512c3e5f51d95607c7c9be1319515cc6fec2fa2d955426032eb06d63b70c1592b0f4515d42f93705663dc343d95d227fafa2765cc2a79b5df00869e87ffdb129ad8