Overview
overview
10Static
static
10ScreenCapt...r1.exe
windows7-x64
1ScreenCapt...r2.exe
windows7-x64
1ScreenCapt...rt.exe
windows7-x64
1ScreenCapt...er.exe
windows7-x64
1ScreenCapt...ck.exe
windows7-x64
1ScreenCapt...k1.exe
windows7-x64
1ScreenCapt...k2.exe
windows7-x64
1Setup (5).exe
windows7-x64
7Setup (6).exe
windows7-x64
7Supplement...16.scr
windows7-x64
3T1.exe
windows7-x64
10T1_b7afca7...b5.exe
windows7-x64
10TeenTube_90767.exe
windows7-x64
10Trojan-Ran....a.exe
windows7-x64
3Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows7-x64
4UNPACKED.exe
windows7-x64
9Uninstall (2).exe
windows7-x64
3Uninstall.exe
windows7-x64
3Upx.exe
windows7-x64
5screenshot2016.exe
windows7-x64
7sidacertification.exe
windows7-x64
3spora.exe
windows7-x64
10svhost.exe
windows7-x64
10sys100s.exe_.exe
windows7-x64
9tordll.dll
windows7-x64
3uacbypass.exe
windows7-x64
3unpack.exe
windows7-x64
10unpacked.ex_.exe
windows7-x64
9unpacked.mem.exe
windows7-x64
10upd.exe
windows7-x64
6verhdiehndi.bat
windows7-x64
8Analysis
-
max time kernel
187s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:39
Behavioral task
behavioral1
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win7-20241023-en
Behavioral task
behavioral5
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Setup (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
Setup (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
T1.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
TeenTube_90767.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
UNPACKED.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
Uninstall (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Upx.exe
Resource
win7-20241010-en
Behavioral task
behavioral21
Sample
screenshot2016.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
sidacertification.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
spora.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
svhost.exe
Resource
win7-20240708-en
Behavioral task
behavioral25
Sample
sys100s.exe_.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
tordll.dll
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
uacbypass.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
unpack.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
unpacked.ex_.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
unpacked.mem.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
upd.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
verhdiehndi.bat
Resource
win7-20240903-en
General
-
Target
spora.exe
-
Size
112KB
-
MD5
570e9cf484050e21346bcdcb99824d77
-
SHA1
f889cbfd2f25e65fae443c9f70192bd310a04b51
-
SHA256
2637247ad66e6e57a68093528bb137c959cdbb438764318f09326fc8a79bdaaf
-
SHA512
a31ac315c243f7225e32913873426de2a56331f2e47cf0d4ae613ac1ea27b334940a15908e6335db40d92b6cfc9e265143b0b363545c54e356a8d267381b7b2f
-
SSDEEP
1536:Ohw7p8e/dl1SHJ070ir7kREEvxLAEOBHYwBzHy0xD1/wb93vsslLng5n2:OhwH/dlS0QUsxLXOHbBby0b/wB0Ykn2
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 1816 cmd.exe 34 -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 932 bcdedit.exe 2252 bcdedit.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\USF50-62RZT-XTATX-HTOOT-ZYYYY.HTML spora.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2796 set thread context of 1540 2796 spora.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spora.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spora.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1808 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000ec75a2286dc7a24ff959658895e1214a1edbec120bff195b14223d649a3b6ebe000000000e80000000020000200000004fb84450943f52f2b667438e3b35e737e30e9f272e3bf201815f107f3677ae5e20000000bef170c7a7203dd52f23b156f767e62891994ac34c193bde396e011c48843580400000002c90e763d69447c3d4838dd6b5662d9134270c8160648f7f769dfbb9c6858d3d382bd063e41c30f107fc971e99141307445118ffb6f65012ac7fcbc06360fdbd iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68667531-A883-11EF-A5D8-F2DF7204BD4F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438408649" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b0273d903cdb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000005be205dabb56b8b3c5179a1596016013c4af9446123505c6f34a8802f8187e8c000000000e8000000002000020000000402ed1ad6795914312986358fd6117bee19875c52d9de4903c06f0b5ec7475d5900000007678c27a81f9ad8a3be5a943863119494e3123dec45eba84b6fb1b7de647c5103ec9fec51f94b40f85077c127cc2f185405683a8b062ab6238e83fc96161a719019500955b0b826323f3b49dd0c0e8d638eb8118b1c0a51da1e0fd4183e7e4390af48ac1e177ed057716a77e1240e23ce552b44126a20fd1fafd8bdd6e56fc62148b0c51aa962ada0ec7e10e97c888b140000000ddff07d6a2ce7dad5e3364fa1493b44c600b1bda4928394d98bbfe8185c5b95abe431d5da8ccff86ce138f7c8411b5367a2249377ac1806dcae65181ba79a5f8 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2796 spora.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1484 WMIC.exe Token: SeSecurityPrivilege 1484 WMIC.exe Token: SeTakeOwnershipPrivilege 1484 WMIC.exe Token: SeLoadDriverPrivilege 1484 WMIC.exe Token: SeSystemProfilePrivilege 1484 WMIC.exe Token: SeSystemtimePrivilege 1484 WMIC.exe Token: SeProfSingleProcessPrivilege 1484 WMIC.exe Token: SeIncBasePriorityPrivilege 1484 WMIC.exe Token: SeCreatePagefilePrivilege 1484 WMIC.exe Token: SeBackupPrivilege 1484 WMIC.exe Token: SeRestorePrivilege 1484 WMIC.exe Token: SeShutdownPrivilege 1484 WMIC.exe Token: SeDebugPrivilege 1484 WMIC.exe Token: SeSystemEnvironmentPrivilege 1484 WMIC.exe Token: SeRemoteShutdownPrivilege 1484 WMIC.exe Token: SeUndockPrivilege 1484 WMIC.exe Token: SeManageVolumePrivilege 1484 WMIC.exe Token: 33 1484 WMIC.exe Token: 34 1484 WMIC.exe Token: 35 1484 WMIC.exe Token: SeIncreaseQuotaPrivilege 1484 WMIC.exe Token: SeSecurityPrivilege 1484 WMIC.exe Token: SeTakeOwnershipPrivilege 1484 WMIC.exe Token: SeLoadDriverPrivilege 1484 WMIC.exe Token: SeSystemProfilePrivilege 1484 WMIC.exe Token: SeSystemtimePrivilege 1484 WMIC.exe Token: SeProfSingleProcessPrivilege 1484 WMIC.exe Token: SeIncBasePriorityPrivilege 1484 WMIC.exe Token: SeCreatePagefilePrivilege 1484 WMIC.exe Token: SeBackupPrivilege 1484 WMIC.exe Token: SeRestorePrivilege 1484 WMIC.exe Token: SeShutdownPrivilege 1484 WMIC.exe Token: SeDebugPrivilege 1484 WMIC.exe Token: SeSystemEnvironmentPrivilege 1484 WMIC.exe Token: SeRemoteShutdownPrivilege 1484 WMIC.exe Token: SeUndockPrivilege 1484 WMIC.exe Token: SeManageVolumePrivilege 1484 WMIC.exe Token: 33 1484 WMIC.exe Token: 34 1484 WMIC.exe Token: 35 1484 WMIC.exe Token: SeBackupPrivilege 2780 vssvc.exe Token: SeRestorePrivilege 2780 vssvc.exe Token: SeAuditPrivilege 2780 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 692 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2796 spora.exe 2796 spora.exe 692 iexplore.exe 692 iexplore.exe 1888 IEXPLORE.EXE 1888 IEXPLORE.EXE 1888 IEXPLORE.EXE 1888 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2796 wrote to memory of 1540 2796 spora.exe 29 PID 2796 wrote to memory of 1540 2796 spora.exe 29 PID 2796 wrote to memory of 1540 2796 spora.exe 29 PID 2796 wrote to memory of 1540 2796 spora.exe 29 PID 2796 wrote to memory of 1540 2796 spora.exe 29 PID 2796 wrote to memory of 1540 2796 spora.exe 29 PID 2796 wrote to memory of 1540 2796 spora.exe 29 PID 2796 wrote to memory of 1540 2796 spora.exe 29 PID 2796 wrote to memory of 1540 2796 spora.exe 29 PID 2796 wrote to memory of 1540 2796 spora.exe 29 PID 2796 wrote to memory of 1540 2796 spora.exe 29 PID 1540 wrote to memory of 1484 1540 spora.exe 30 PID 1540 wrote to memory of 1484 1540 spora.exe 30 PID 1540 wrote to memory of 1484 1540 spora.exe 30 PID 1540 wrote to memory of 1484 1540 spora.exe 30 PID 1540 wrote to memory of 692 1540 spora.exe 32 PID 1540 wrote to memory of 692 1540 spora.exe 32 PID 1540 wrote to memory of 692 1540 spora.exe 32 PID 1540 wrote to memory of 692 1540 spora.exe 32 PID 692 wrote to memory of 1888 692 iexplore.exe 33 PID 692 wrote to memory of 1888 692 iexplore.exe 33 PID 692 wrote to memory of 1888 692 iexplore.exe 33 PID 692 wrote to memory of 1888 692 iexplore.exe 33 PID 552 wrote to memory of 1808 552 cmd.exe 37 PID 552 wrote to memory of 1808 552 cmd.exe 37 PID 552 wrote to memory of 1808 552 cmd.exe 37 PID 552 wrote to memory of 932 552 cmd.exe 40 PID 552 wrote to memory of 932 552 cmd.exe 40 PID 552 wrote to memory of 932 552 cmd.exe 40 PID 552 wrote to memory of 2252 552 cmd.exe 41 PID 552 wrote to memory of 2252 552 cmd.exe 41 PID 552 wrote to memory of 2252 552 cmd.exe 41 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\spora.exe"C:\Users\Admin\AppData\Local\Temp\spora.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\spora.exeC:\Users\Admin\AppData\Local\Temp\spora.exe2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\USF50-62RZT-XTATX-HTOOT-ZYYYY.HTML3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:692 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1888
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1808
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:932
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2252
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58481b71d61faa011ac20489911dba498
SHA153f0925782f0af815a3125a42a109c092fe2e333
SHA256325029b1e2a7a610cde9f47d26354b46b907d24acc4e90f6b67c2e1b7d04b2d2
SHA51200003a09f5a1494d7b0ce4d7de454f09e1c28cea7a38b1f11f76875005c1349a7f13e1068343482e8e4bcd7d02da4b327c18fd360116c19e979395fe179aaae6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d0422a0fb0856c56d4e3fd14bef61235
SHA1d425e77b5a075635d90ee391dcce6f04327cc723
SHA256a17fca09172603d0242bf08039a872613c25abe19d3b33616141880723e4c3a5
SHA51255d4d57dfa0274fb4ab49ea2df11570fcc5e716a6a5390ce5f38e0ad30da974ba7e7b17b2fa9b82b7dc7ec9bffcf34483fa29590d249a8468f0ff30e7da39028
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5018c34f0cb92c9453571183adbc0d83d
SHA1675ad7ba77992a00b72a8ee018ea6727c953b252
SHA256a2fa0f66e7db180f62d8289322803b58ac96eae1536fa101540ea47612814bc0
SHA51290b0e2b3ea731de6271315a6e43e353a2912d34f12badf501eedda1cf386313d4a69dc0457476e2e2103c95943b1f2f88bee006e721f437da6dcce7b2c115597
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b5e7e8d76341d23d0111070871a29cb5
SHA11b8b335d00bcf36f776f14b977fca4a0e74fc210
SHA2562ff7e7e591813b1d7e7c3d06cdfd2aa2d9a829e71a6ba44d67b864339a2b85b7
SHA5121a354dcb59f754a7a11b8b7e62ce7a385931b66d484a16cbfd22fcfda28992ea83a985e3cdb050d544d301101ca7873bccc77eda553f3b13062d35e85536eade
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dfff273ca3a765bcbd1407fcd2810b2f
SHA10cbac3cc022b932592e975e8592f2adb540ec82b
SHA2569a0099e55d3f18892208dfd6627fb7e0fe3bf002dc3a0660e11f238f325ae619
SHA512665589b07f8b938716a4991fe4c79426eaa1530334e0a77518d6840750cd8cb121764c95176ebfbebfa0d97f67da3be44d9413a9efbfc1f73c97ad7bcb915fe0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5857dca8067ac951311e2574449d15dd9
SHA1ab4cce505a36d6a084d1ceb4d2e618abe643ccad
SHA256fbe124cccbc0e589105b3e1543d570f886d671429a5599ca3e1bce9a285cff9c
SHA5124d167d32f0db96ca6884ae720013b67e741acc88f12bc69f79de41edc6f611cb6fc0a84778f9d461595c4d0170484c8e8af8bb1c664772b2e11e2336f7a11b1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2a8384a28ed4fa28e485f3bf0dbc91f
SHA18e61727691b7d9e989b86157c5f96be6cde9a80c
SHA2561c8a9dc3caa0d2cb48cfe6ee041878f6810458e9839f4333bf0e8f8ac0fad09a
SHA512dbcaeb6008acb8f41af15cc2cb394729a0c2067a5a255f2c9eec56e2208ea95e37a48fa36af03eff66a65b29544bccf1f508d9d54bdb31f7be658fc3e4f6beba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d764851983b159a28c2b1436918274d2
SHA140be46caf56a38ac8f06c71de8acd45528d300db
SHA2568997c26b18eaac8ac417e34ed5122ca2514b01184fe553a167b70f11de9f25d7
SHA512c33047e5d53ddcf86a532d73ea6ad32aa7bc3c871a2a49e43dcc3a9ab3264548446b8fdd8e4c327b90166cf843e18527143dedf5576c5e27772c18883f2cd1b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52e17ed58d368110e0374ecfa4b308e1c
SHA1a3781f69cb4262803d1319b547c2a6bcfae37ec7
SHA256d32888ff8a12a2f2f52a0601bcc2885a6541b8764b5adf7a999f2d0ac103240d
SHA51209e4883b326cafa54fc7de5764fffbb1dfbd4ebbd43bc070295815f137737bf5285654c13644a48c1824cec9e9643e4a34a35783e1f45e332ce091a8e79edb53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2eb0d5510d02c2a4e72c6a703055d2d
SHA1f4c980ec1c714022c4b0f9789704da5eb1fc7991
SHA256a6ee666f3e9f8b2733eedfc031c76575f5321da7cad0e3bac9b03c785bfe37e5
SHA5127c54ac297fa203525988aba19e85734974d3066745c55880b02203a981b1fe441771cf859d1e9edb66558de0b5424eb910edb0b93d1d81f2e857aad9856e4fbe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5671c57d4fcaa281ee5a5f58029d46a87
SHA18ac1bb64686620638d0d55ff4b9aa01f67e80dc6
SHA256825fde202331abbee1e00354f7b04d13d1e92b2565a61e201f648f81e5a3911b
SHA512d4fdda79933564f6309a0f62ef48ae449a2861f05572578cf587db0d05b65ed6a72a85c0df28d63be30ec8910b8d973b270100a6ed17e39c831ebeb556c9fd9c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5791af685c309d82a7c431feda3f6550e
SHA1f5092cfa8db6a347e975468fee4af75a50ba8d5b
SHA2561b5e9fad4b135fbf4f7072bdc363913bf223c33f368e8e7f9185abf252361763
SHA512b93b4f233afdd6eb0702ed278979d012a46a57cb9f7afa51af4c7d3f7ca75a8944c2b05be5a8fa1eaaa00def56421f3a13cd5bc3a9f877acb2ee0d1b6995ef20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58abba63eed0fc51db6df1c1c95ef8c38
SHA180419a53103c3b2a964336dd605289003bd65b86
SHA256092e256aca4f47702ef50f4d62987990fc5591e022c3c3da9e86deee723379bd
SHA5122d1e92e7b64abfe0ca9bc89edb4da74b4f42f7b83fa329a352bd8254feeacc17876fdffa97f6cfec137ccc26cd8cd575df6bc9de92534508bcb251d369af4b8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a62e24911465918336a4a2bb772812df
SHA181930232d1a3ea70479226cd4b0db8c0fe0f4288
SHA2568abb34819a227f417b8a88ea734259199056cb7bc0a03d53416a6d1584076b1a
SHA512e1c33298f1fbc0817f3705ea92bc17c93bc51bd95c520420bd6f2903573f20f07f43f6c79c9bdb3a66eb34d0978719c4be71c27ad0c4c551cf775a27ebc01cd8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5baf60c4957e7bbc1e31c1a9155dc4f64
SHA118543727bbecb3cc41b1f77dc9f7e299124114b6
SHA256de56ee67be6f329600f5d30da671a04804d9dcc50236df7fd7d7e5a779a35453
SHA512aa1a6fd1dc961cc7ed2cab1f573ed699d220ac9adfa0f47f6b4453e88e1ee3f6fa448354e94755162b4b0e6209149277c7ef052d510c66112517d62a58636159
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD595e3ee2dfa0b6d5f7206da9b21686e67
SHA1c5f55d6392811fb626ed01b7c962abdd542920e8
SHA256517010463a5c76a9591b9898d0b5f872993e53a8c15d083c17176d5d565cbeb2
SHA51250b8d2376d71f5c689973d698c955cabd590df561120f84d19ff361887cd1755cb4d38bef5561fcd1879b6f9ac37dcfae79c23df8da7b2e2f6d3a874ce35c0fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD565ab68ad3d7c2addb8e1695cb6a01af5
SHA18e65dc39db453fc2feda7f63e61761d6e261ebc3
SHA25686a446b63f145e1c5d5ec5c1d1c42974518199148a245c58e552d9c1051f66a8
SHA51297067c97c9009e488c3e19001619475e0aec173a6c9b81672f2b8beffb094a3075aecdb3ceaf81a74c202067a0c5cefe83fa68f0f4b50335a817521cdae7b65e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51bd0743e8b67e62580a552ec8f9c2349
SHA1a4f32df7ad6f5929e44dce00b9f69f6a432dbbc7
SHA256460b4b52eacf0fdda6e6f993cdb64fe6b5ee7db79c8430e77cfc575ff7f3f7ad
SHA5125408c795e6182aa3baeb5604d95ac2804e547885eeba025b945f71dd244b15f75d0cf77fd147d5a0edf1820e6363eb47a39e533a6c5aadc5dab2b210cfbe6c4d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD561abff02832b67d275b10e21909146ff
SHA16394ad02c77c02c3168be8c3a0b81d2fb8062898
SHA2563ed7b10a126d8144bb966958d98a23bf727e92138a48456e7381b44c4f77759b
SHA51243095a9b0fe2adff81f9c77dc8fbf2c7a4ab28ae1e01a9da2bd0e0cb3c029a3c336ea3543275c288db30ddc64896fc6a133c21a848de3e79b43d88e2fd60e6ff
-
Filesize
14KB
MD5d98f12ec6e0ef7f3117471ba9712a5f1
SHA11771a2bb43ce9b4421a8b643f5c3036e920853b0
SHA256da4343509481acbb5805078da4f397ed35332d95041ca166f77ca8e0d2f21434
SHA512cf4c5079d0288f7ad7f7b93d06884a36932b2b80f6955a749eda716596aee2b66c6d8154aa9b02e365e6ce2c047a47ab18c6c468279f2f810a0eafcb25316205
-
Filesize
5KB
MD5f693ab1fdb0feb2d24976b12fb3e3196
SHA1eb6a62e6e99c6b6005c45cf6a7f202818d35e5fd
SHA256c6dfb028f50623f5cdbec757f0c27cf04fef3690db93fabf714b6c573ccf49c2
SHA5122795161e37a9a3479ee1b849c020afab2f12ae2bf8040b1ad7bd9e8069817772b7b918bfca685096a74676ac7ca0ce7a257b04e879406d99f64d5b2404fc3324