Analysis
-
max time kernel
20s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/05/2025, 15:16
Behavioral task
behavioral1
Sample
1.exe
Resource
win11-20250502-en
General
-
Target
1.exe
-
Size
434KB
-
MD5
188aa2b0c254f454088aa765b6b2030a
-
SHA1
9bae9a01368f4dba20c9ba2c09a986e6cf86a083
-
SHA256
99067d26b7cc568c78e595aa1e0eed2e2f29a421612f0d30ddece76d1095acd5
-
SHA512
8e1306df263c7562ac72c274acace34a307b159e7c83fd2cd612ac8a08b3bd7473a663e6e4de13220b1fcf1d4c4db574376a9ffede66cfbcca06479c0a174dfb
-
SSDEEP
12288:IP2zDtZ+Te8iKLRkRXXxrdofYM3r3xRMZg5w1+B+:IP2L+TNKxheASNR4
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1.exe -
Disables use of System Restore points 1 TTPs
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81D23CDCE53C9A39C03F717C9A7CBF28.exe 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81D23CDCE53C9A39C03F717C9A7CBF28.exe 1.exe -
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\users\admin\videos\desktop.ini 1.exe File opened for modification C:\users\public\accountpictures\desktop.ini 1.exe File opened for modification C:\users\public\videos\desktop.ini 1.exe File opened for modification C:\program files\desktop.ini 1.exe File opened for modification C:\users\admin\favorites\desktop.ini 1.exe File opened for modification C:\users\admin\favorites\links\desktop.ini 1.exe File opened for modification C:\users\admin\onedrive\desktop.ini 1.exe File opened for modification C:\users\admin\saved games\desktop.ini 1.exe File opened for modification C:\users\admin\searches\desktop.ini 1.exe File opened for modification C:\users\public\downloads\desktop.ini 1.exe File opened for modification C:\users\admin\desktop\desktop.ini 1.exe File opened for modification C:\users\admin\documents\desktop.ini 1.exe File opened for modification C:\users\admin\downloads\desktop.ini 1.exe File opened for modification C:\users\admin\links\desktop.ini 1.exe File opened for modification C:\users\public\desktop\desktop.ini 1.exe File opened for modification C:\users\public\desktop.ini 1.exe File opened for modification C:\users\public\libraries\desktop.ini 1.exe File opened for modification C:\users\public\music\desktop.ini 1.exe File opened for modification C:\program files (x86)\desktop.ini 1.exe File opened for modification C:\users\admin\music\desktop.ini 1.exe File opened for modification C:\users\admin\pictures\desktop.ini 1.exe File opened for modification C:\users\admin\pictures\saved pictures\desktop.ini 1.exe File opened for modification C:\users\public\documents\desktop.ini 1.exe File opened for modification C:\users\public\pictures\desktop.ini 1.exe File opened for modification C:\program files\microsoft office\root\office16\1033\dataservices\desktop.ini 1.exe File opened for modification C:\users\admin\contacts\desktop.ini 1.exe File opened for modification C:\users\admin\pictures\camera roll\desktop.ini 1.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: 1.exe File opened (read-only) \??\E: 1.exe File opened (read-only) \??\T: 1.exe File opened (read-only) \??\Y: 1.exe File opened (read-only) \??\P: 1.exe File opened (read-only) \??\J: 1.exe File opened (read-only) \??\V: 1.exe File opened (read-only) \??\B: 1.exe File opened (read-only) \??\F: 1.exe File opened (read-only) \??\N: 1.exe File opened (read-only) \??\G: 1.exe File opened (read-only) \??\Q: 1.exe File opened (read-only) \??\R: 1.exe File opened (read-only) \??\U: 1.exe File opened (read-only) \??\O: 1.exe File opened (read-only) \??\K: 1.exe File opened (read-only) \??\L: 1.exe File opened (read-only) \??\X: 1.exe File opened (read-only) \??\W: 1.exe File opened (read-only) \??\I: 1.exe File opened (read-only) \??\S: 1.exe File opened (read-only) \??\H: 1.exe File opened (read-only) \??\Z: 1.exe File opened (read-only) \??\M: 1.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\81D23CDCE53C9A39C03F717C9A7CBF28.bmp" 1.exe -
resource yara_rule behavioral1/memory/976-0-0x00000000005E0000-0x0000000000709000-memory.dmp upx behavioral1/memory/976-8846-0x00000000005E0000-0x0000000000709000-memory.dmp upx behavioral1/memory/976-8876-0x00000000005E0000-0x0000000000709000-memory.dmp upx behavioral1/memory/976-14769-0x00000000005E0000-0x0000000000709000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\walk-through\js\nls\it-it\ui-strings.js 1.exe File opened for modification C:\program files\windowsapps\microsoft.vp9videoextensions_1.0.41182.0_x64__8wekyb3d8bbwe\assets\contrast-black\applist.targetsize-20_contrast-black.png 1.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sign-services-auth\js\nls\en-il\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.gethelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\gethelpbadgelogo.scale-125.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.549981c3f5f10_2.2106.2807.0_x64__8wekyb3d8bbwe\assets\store\appicon.altform-unplated_targetsize-32.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\assets\tipssmalltile.scale-100_contrast-black.png 1.exe File created C:\program files\windowsapps\microsoft.windowsnotepad_10.2102.13.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\#HowToRecover.txt 1.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\#HowToRecover.txt 1.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\ja-jp\#HowToRecover.txt 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\resource\typesupport\unicode\mappings\mac\turkish.txt 1.exe File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.screensketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\contrast-black\snipsketchstorelogo.scale-125.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.screensketch_11.2104.2.0_x64__8wekyb3d8bbwe\assets\fileassociation\fileassociation.targetsize-336.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.zunemusic_10.21012.10511.0_x64__8wekyb3d8bbwe\assets\applist.targetsize-72.png 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_sendforcomments_18.svg 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\hu-hu\ui-strings.js 1.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer\js\nls\de-de\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\microsoft.screensketch_11.2104.2.0_x64__8wekyb3d8bbwe\assets\snipsketchapplist.targetsize-72.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowsnotepad_10.2102.13.0_x64__8wekyb3d8bbwe\assets\ps1file.targetsize-16.png 1.exe File opened for modification C:\program files\microsoft office\packagemanifests\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml 1.exe File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\assets\tipsapplist.scale-200_contrast-white.png 1.exe File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.screensketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\snippingtool\assets\largetile.scale-125.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.549981c3f5f10_2.2106.2807.0_x64__8wekyb3d8bbwe\heycortana_en-us.table 1.exe File opened for modification C:\program files\windowsapps\microsoft.screensketch_11.2104.2.0_x64__8wekyb3d8bbwe\assets\snipsketchapplist.targetsize-30_altform-lightunplated.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.webmediaextensions_1.0.40831.0_x64__8wekyb3d8bbwe\assets\applist.targetsize-96_altform-unplated.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\hxcalendarwidetile.scale-200.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowsstore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\apptiles\storewidetile.scale-100.png 1.exe File opened for modification C:\program files\microsoft office\root\licenses16\homestudent2019r_retail-ppd.xrm-ms 1.exe File opened for modification C:\program files\microsoft office\root\licenses16\standard2019msdnr_retail-ul-phn.xrm-ms 1.exe File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000018\index.win32.bundle.map 1.exe File created C:\program files\mozilla firefox\uninstall\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\microsoft.powerautomatedesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\images\powerautomateappicon.scale-100.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\exchangemediumtile.scale-100.png 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\s_signed_out.svg 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\home\js\selector.js 1.exe File opened for modification C:\program files\microsoft office\root\office16\mceperfctr.man 1.exe File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.zunevideo_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\logo.scale-125.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windows.photos_21.21030.25003.0_x64__8wekyb3d8bbwe\assets\photosapplist.targetsize-20_altform-lightunplated.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\hxcalendarapplist.targetsize-96_altform-unplated.png 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-files\images\icons_retina.png 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-en_us_2x.gif 1.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\de-de\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\assets\tipssmalltile.scale-200_contrast-white.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\txp_3color_invoice_378_dark.png 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\nls\hu-hu\ui-strings.js 1.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\js\nls\ro-ro\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.yourphone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\apptiles\contrast-white\splashscreen.scale-125_contrast-white.png 1.exe File created C:\program files\windowsapps\microsoft.xboxspeechtotextoverlay_1.17.29001.0_x64__8wekyb3d8bbwe\assets\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\microsoft.zunemusic_10.21012.10511.0_x64__8wekyb3d8bbwe\assets\contrast-black\applist.targetsize-40_contrast-black.png 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\reviews\js\nls\de-de\ui-strings.js 1.exe File opened for modification C:\program files\microsoft office\root\licenses16\homebusinessr_retail-pl.xrm-ms 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\hxmailmediumtile.scale-100.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\hxcalendarlargetile.scale-125.png 1.exe File opened for modification C:\program files\windowsapps\microsoftwindows.client.webexperience_321.14700.0.9_x64__cw5n1h2txyewy\dashboard\webcontent\node_modules\@fluentui\theme\lib\fonts\index.js 1.exe File opened for modification C:\program files\microsoft office\root\licenses16\homebusinessr_retail3-ul-oob.xrm-ms 1.exe File opened for modification C:\program files\microsoft office\root\licenses16\o365smallbuspremr_subscription5-ul-oob.xrm-ms 1.exe File created C:\program files\windowsapps\deletedalluserpackages\microsoft.windowsfeedbackhub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\images\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\microsoft.bingnews_1.0.6.0_x64__8wekyb3d8bbwe\assets\apptiles\contrast-black\newsapplist.targetsize-30_altform-unplated_contrast-black.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.microsoftstickynotes_4.0.2.0_x64__8wekyb3d8bbwe\assets\icons\stickynotesapplist.targetsize-32_contrast-white.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowsstore_12104.1001.1.0_x64__8wekyb3d8bbwe\microsoft.membership.mecontrol.winmd 1.exe File opened for modification C:\program files\windowsapps\microsoftwindows.client.webexperience_321.14700.0.9_x64__cw5n1h2txyewy\dashboard\webcontent\node_modules\@fluentui\react\lib\separator.js 1.exe File opened for modification C:\program files\microsoft office\root\licenses16\mondor_bypasstrial180-ppd.xrm-ms 1.exe File opened for modification C:\program files\windowsapps\microsoft.zunemusic_10.21012.10511.0_x64__8wekyb3d8bbwe\assets\contrast-black\applist.targetsize-80_altform-unplated_contrast-black.png 1.exe File opened for modification C:\program files\microsoft office\root\licenses16\homestudent2019r_grace-ul-oob.xrm-ms 1.exe File opened for modification C:\program files\microsoft office\root\office16\fpa_f2\fa000000002 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\WallpaperStyle = "2" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\TileWallpaper = "0" 1.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1cxz\DefaultIcon 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1cxz 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1cxz\DefaultIcon\ = "C:\\ProgramData\\81D23CDCE53C9A39C03F717C9A7CBF28.ico" 1.exe Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000_Classes\Local Settings 1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 976 1.exe 976 1.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeRestorePrivilege 976 1.exe Token: SeTakeOwnershipPrivilege 976 1.exe Token: SeIncreaseQuotaPrivilege 5072 WMIC.exe Token: SeSecurityPrivilege 5072 WMIC.exe Token: SeTakeOwnershipPrivilege 5072 WMIC.exe Token: SeLoadDriverPrivilege 5072 WMIC.exe Token: SeSystemProfilePrivilege 5072 WMIC.exe Token: SeSystemtimePrivilege 5072 WMIC.exe Token: SeProfSingleProcessPrivilege 5072 WMIC.exe Token: SeIncBasePriorityPrivilege 5072 WMIC.exe Token: SeCreatePagefilePrivilege 5072 WMIC.exe Token: SeBackupPrivilege 5072 WMIC.exe Token: SeRestorePrivilege 5072 WMIC.exe Token: SeShutdownPrivilege 5072 WMIC.exe Token: SeDebugPrivilege 5072 WMIC.exe Token: SeSystemEnvironmentPrivilege 5072 WMIC.exe Token: SeRemoteShutdownPrivilege 5072 WMIC.exe Token: SeUndockPrivilege 5072 WMIC.exe Token: SeManageVolumePrivilege 5072 WMIC.exe Token: 33 5072 WMIC.exe Token: 34 5072 WMIC.exe Token: 35 5072 WMIC.exe Token: 36 5072 WMIC.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 976 wrote to memory of 1160 976 1.exe 79 PID 976 wrote to memory of 1160 976 1.exe 79 PID 976 wrote to memory of 1160 976 1.exe 79 PID 976 wrote to memory of 5384 976 1.exe 81 PID 976 wrote to memory of 5384 976 1.exe 81 PID 976 wrote to memory of 5384 976 1.exe 81 PID 976 wrote to memory of 2880 976 1.exe 83 PID 976 wrote to memory of 2880 976 1.exe 83 PID 976 wrote to memory of 2880 976 1.exe 83 PID 976 wrote to memory of 2180 976 1.exe 85 PID 976 wrote to memory of 2180 976 1.exe 85 PID 976 wrote to memory of 2180 976 1.exe 85 PID 2180 wrote to memory of 5072 2180 cmd.exe 89 PID 2180 wrote to memory of 5072 2180 cmd.exe 89 PID 2180 wrote to memory of 5072 2180 cmd.exe 89 PID 976 wrote to memory of 5708 976 1.exe 90 PID 976 wrote to memory of 5708 976 1.exe 90 PID 976 wrote to memory of 5708 976 1.exe 90 PID 976 wrote to memory of 2972 976 1.exe 92 PID 976 wrote to memory of 2972 976 1.exe 92 PID 976 wrote to memory of 2972 976 1.exe 92 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Your computer is encrypted" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "We encrypted and stolen all of your files.\r\r\nOpen #HowToRecover.txt and follow the instructions to recover your files.\r\r\nYour ID: 81D23CDCE53C9A39C03F717C9A7CBF28" 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
PID:1160
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵
- System Location Discovery: System Language Discovery
PID:5384
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY /nointeractive3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c for /F "tokens = *" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"2⤵
- System Location Discovery: System Language Discovery
PID:5708
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\dotnet\#HowToRecover.txt2⤵
- System Location Discovery: System Language Discovery
PID:2972
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
608B
MD5b5b56eeb1cf7e1eb65e5084fd083c7d7
SHA18de0e9ef629fa5ddba0cc76c5cadc202590afbfc
SHA2569d60b219f17876d4913c48a05600b29c3f2cf47926392fb17a022ac3f3f3845b
SHA51233c16606e0fc517eee796deae01b036de8312f7510434681a24dc3de7c08f51870546800a481fe6d36dd478b6b3f2943ac263f5fac40c97964a1c4333f08c1f6
-
C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\6foV69LVg9.1cxz
Filesize103KB
MD57c26043d951fb440a1b10ed16c4890db
SHA1686354a823c522881eb442f4e9573991ba5d025d
SHA256a1bf9e88ddccb021b8a6219f1585677fd08df0dee5aca3a39297aefcc3d71a19
SHA512508eb08c1de88beedd652b81a02a1d55bfcd39a7308de255e2aa7954f86b22cbb1f9d574d1fbcebfcac75b4d4d9495659032a60a5f1c226e043ecdb558c6d1f5