5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d

Analysis

max time kernel
97s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
Size

487KB
MD5

8040a1a66e9b6cffba01d78b642140ea
SHA1

acac5dc3f6140c093e1ebace12f1c8579f8fb3bf
SHA256

5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d
SHA512

62a188e40a988e65dfff91e0d0ea88e5f925eb794f66d71073d4d4913298283b7e736abed83b0fc384db5e0ae5a061786bbca7ab97ddec455684604ef89c6138
SSDEEP

6144:1MkLeY49LF6PAd+eDQbS0VeWVa1Kj/5hd2SXvT+r8feNNvy6kLu+1bq7YNZ:1M5XQrVeWVa1Kj/57nmNNeVU76

Score

9^/10

defense_evasion execution impact ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (600) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe

Modifies boot configuration data using bcdedit 4 IoCs

pid	Process
404	bcdedit.exe
3300	bcdedit.exe
400	bcdedit.exe
3956	bcdedit.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\readme.bmp"	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2692	vssadmin.exe
5024	vssadmin.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\TileWallpaper = "0"	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\WallpaperStyle = "0"	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4416	WMIC.exe
Token: SeSecurityPrivilege	4416	WMIC.exe
Token: SeTakeOwnershipPrivilege	4416	WMIC.exe
Token: SeLoadDriverPrivilege	4416	WMIC.exe
Token: SeSystemProfilePrivilege	4416	WMIC.exe
Token: SeSystemtimePrivilege	4416	WMIC.exe
Token: SeProfSingleProcessPrivilege	4416	WMIC.exe
Token: SeIncBasePriorityPrivilege	4416	WMIC.exe
Token: SeCreatePagefilePrivilege	4416	WMIC.exe
Token: SeBackupPrivilege	4416	WMIC.exe
Token: SeRestorePrivilege	4416	WMIC.exe
Token: SeShutdownPrivilege	4416	WMIC.exe
Token: SeDebugPrivilege	4416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4416	WMIC.exe
Token: SeRemoteShutdownPrivilege	4416	WMIC.exe
Token: SeUndockPrivilege	4416	WMIC.exe
Token: SeManageVolumePrivilege	4416	WMIC.exe
Token: 33	4416	WMIC.exe
Token: 34	4416	WMIC.exe
Token: 35	4416	WMIC.exe
Token: 36	4416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4416	WMIC.exe
Token: SeSecurityPrivilege	4416	WMIC.exe
Token: SeTakeOwnershipPrivilege	4416	WMIC.exe
Token: SeLoadDriverPrivilege	4416	WMIC.exe
Token: SeSystemProfilePrivilege	4416	WMIC.exe
Token: SeSystemtimePrivilege	4416	WMIC.exe
Token: SeProfSingleProcessPrivilege	4416	WMIC.exe
Token: SeIncBasePriorityPrivilege	4416	WMIC.exe
Token: SeCreatePagefilePrivilege	4416	WMIC.exe
Token: SeBackupPrivilege	4416	WMIC.exe
Token: SeRestorePrivilege	4416	WMIC.exe
Token: SeShutdownPrivilege	4416	WMIC.exe
Token: SeDebugPrivilege	4416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4416	WMIC.exe
Token: SeRemoteShutdownPrivilege	4416	WMIC.exe
Token: SeUndockPrivilege	4416	WMIC.exe
Token: SeManageVolumePrivilege	4416	WMIC.exe
Token: 33	4416	WMIC.exe
Token: 34	4416	WMIC.exe
Token: 35	4416	WMIC.exe
Token: 36	4416	WMIC.exe
Token: SeBackupPrivilege	1452	vssvc.exe
Token: SeRestorePrivilege	1452	vssvc.exe
Token: SeAuditPrivilege	1452	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2912	WMIC.exe
Token: SeSecurityPrivilege	2912	WMIC.exe
Token: SeTakeOwnershipPrivilege	2912	WMIC.exe
Token: SeLoadDriverPrivilege	2912	WMIC.exe
Token: SeSystemProfilePrivilege	2912	WMIC.exe
Token: SeSystemtimePrivilege	2912	WMIC.exe
Token: SeProfSingleProcessPrivilege	2912	WMIC.exe
Token: SeIncBasePriorityPrivilege	2912	WMIC.exe
Token: SeCreatePagefilePrivilege	2912	WMIC.exe
Token: SeBackupPrivilege	2912	WMIC.exe
Token: SeRestorePrivilege	2912	WMIC.exe
Token: SeShutdownPrivilege	2912	WMIC.exe
Token: SeDebugPrivilege	2912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2912	WMIC.exe
Token: SeRemoteShutdownPrivilege	2912	WMIC.exe
Token: SeUndockPrivilege	2912	WMIC.exe
Token: SeManageVolumePrivilege	2912	WMIC.exe
Token: 33	2912	WMIC.exe
Token: 34	2912	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 820	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	84
PID 4928 wrote to memory of 820	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	84
PID 4928 wrote to memory of 412	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	86
PID 4928 wrote to memory of 412	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	86
PID 4928 wrote to memory of 3956	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	88
PID 4928 wrote to memory of 3956	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	88
PID 4928 wrote to memory of 4496	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	90
PID 4928 wrote to memory of 4496	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	90
PID 412 wrote to memory of 4416	412	cmd.exe	92
PID 412 wrote to memory of 4416	412	cmd.exe	92
PID 820 wrote to memory of 2692	820	cmd.exe	93
PID 820 wrote to memory of 2692	820	cmd.exe	93
PID 4496 wrote to memory of 404	4496	cmd.exe	94
PID 4496 wrote to memory of 404	4496	cmd.exe	94
PID 3956 wrote to memory of 3300	3956	cmd.exe	95
PID 3956 wrote to memory of 3300	3956	cmd.exe	95
PID 4928 wrote to memory of 2308	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	101
PID 4928 wrote to memory of 2308	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	101
PID 4928 wrote to memory of 1160	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	103
PID 4928 wrote to memory of 1160	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	103
PID 4928 wrote to memory of 1172	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	105
PID 4928 wrote to memory of 1172	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	105
PID 4928 wrote to memory of 5084	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	107
PID 4928 wrote to memory of 5084	4928	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	107
PID 2308 wrote to memory of 5024	2308	cmd.exe	109
PID 2308 wrote to memory of 5024	2308	cmd.exe	109
PID 1160 wrote to memory of 2912	1160	cmd.exe	110
PID 1160 wrote to memory of 2912	1160	cmd.exe	110
PID 1172 wrote to memory of 400	1172	cmd.exe	111
PID 1172 wrote to memory of 400	1172	cmd.exe	111
PID 5084 wrote to memory of 3956	5084	cmd.exe	112
PID 5084 wrote to memory of 3956	5084	cmd.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
"C:\Users\Admin\AppData\Local\Temp\5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe"
1⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\system32\bcdedit.exe
    bcdedit / set{ default } recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\system32\bcdedit.exe
    bcdedit / set{ default } bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\system32\bcdedit.exe
    bcdedit / set{ default } recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\system32\bcdedit.exe
    bcdedit / set{ default } bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\read_me_to_access.txt

Filesize
2KB

MD5
05e96cfa12573c5dab367e6a11b939a9

SHA1
37822be386a3e2019996b2cd0a0e0fbd0e36d649

SHA256
70d1cad91bf037604433ec91d1ce13b701cdc15911578febd0be7c8798bc42eb

SHA512
1272a1bf02837be6fbf96f3f00e2f80ef69dc7432f29283f9bb9d2e245b1ed3e3e0de0641b81e981f0b53213c061dd33bcc7e1884f9ba27637fff218ddcd74e9

Download Submit