dbfbc98581c82723ed3c35b156ef0924fad11271e0c3c6c6b8447e7e02b05a5d

Analysis

max time kernel
499s
max time network
509s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
Size

49KB
MD5

c2734e516454c7af7354a7a4d25cdfa1
SHA1

ad062ffc6cc642ed47549f172e085c15e4902466
SHA256

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97
SHA512

dc32973cbe1b12f27c9d78702f8efb307f48f521529d0ad4cd70426bfcacb697a3dd761246cc7bd40235c51d7b1bced2eeee78bd7ac82ad297c314a80d753367
SSDEEP

1536:dQFgpLzLiugEBVw9wrLM+7UUjl0FSrXaN:CF4zLi9EBpg+3XaN

Score

10^/10

defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README.hta

Ransom Note

<!DOCTYPE html> <html> <head> <title>SORCERY RANSOMWARE NOTE</title> <style> body { background-color: black; color: green; font-family: Arial, sans-serif; } .important { color: red; } h1, h2 { color: red; } </style> </head> <body> <h1>SORCERY RANSOMWARE NOTE</h1> <h2>What happened?</h2> <p>All of your files are encrypted and stolen. Stolen data will be published soon on our Tor website. There is no way to recover your data and prevent data leakage without us. <span class='important'>Decryption is not possible without the private key.</span> Don't waste your and our time trying to recover your files on your own; it is impossible without our help.</p> <h2>What is Ransomware?</h2> <p>Ransomware is a type of malicious software that encrypts your files and demands a ransom payment to restore access to them. Once your files are encrypted, you will not be able to open or use them without a special decryption key. In addition to encrypting your files, ransomware can also steal your data and threaten to publish it if the ransom is not paid.</p> <h2>What is a Decryptor?</h2> <p>A decryptor is a tool that can reverse the encryption applied by ransomware, allowing you to regain access to your files. The decryptor requires a unique private key, which is held by the attackers. Without this key, it is impossible to decrypt your files.</p> <h2>How to recover files & prevent leakage?</h2> <p>We promise that you can recover all your files safely and prevent data leakage. <span class='important'>We can do it!</span></p> <h2>Contact Us</h2> <p><span class='important'>Email:</span> [email protected]</p> <p><span class='important'>Enter DECRYPTION ID:</span> S10</p> <p>You need to contact us within <span class='important'>24 hours</span> so that we can discuss the price for the decryptor.</p> </body> </html>

Emails

[email protected]</p>

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (119) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe

Executes dropped EXE 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

3900 rundll32.exe
2040 rundll32.exe
2376 rundll32.exe

pid	process
3900	rundll32.exe
2040	rundll32.exe
2376	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exerundll32.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWMonitor = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\HWMonitor\\HWMonitor.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\README = "C:\\Users\\Admin\\AppData\\Local\\rundll32.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWMonitor = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\HWMonitor\\HWMonitor.exe"	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\J4ZwPn38Y.jpg"	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exerundll32.exe

description	pid	process	target process
PID 4872 set thread context of 316	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 3900 set thread context of 2376	3900	rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exepowershell.exerundll32.exepowershell.exerundll32.exe

pid	process
4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
2560	powershell.exe
2560	powershell.exe
3900	rundll32.exe
3900	rundll32.exe
4328	powershell.exe
4328	powershell.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exepowershell.exerundll32.exerundll32.exepowershell.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
Token: SeDebugPrivilege	316	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	3900	rundll32.exe
Token: SeDebugPrivilege	2376	rundll32.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeIncreaseQuotaPrivilege	1180	WMIC.exe
Token: SeSecurityPrivilege	1180	WMIC.exe
Token: SeTakeOwnershipPrivilege	1180	WMIC.exe
Token: SeLoadDriverPrivilege	1180	WMIC.exe
Token: SeSystemProfilePrivilege	1180	WMIC.exe
Token: SeSystemtimePrivilege	1180	WMIC.exe
Token: SeProfSingleProcessPrivilege	1180	WMIC.exe
Token: SeIncBasePriorityPrivilege	1180	WMIC.exe
Token: SeCreatePagefilePrivilege	1180	WMIC.exe
Token: SeBackupPrivilege	1180	WMIC.exe
Token: SeRestorePrivilege	1180	WMIC.exe
Token: SeShutdownPrivilege	1180	WMIC.exe
Token: SeDebugPrivilege	1180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1180	WMIC.exe
Token: SeRemoteShutdownPrivilege	1180	WMIC.exe
Token: SeUndockPrivilege	1180	WMIC.exe
Token: SeManageVolumePrivilege	1180	WMIC.exe
Token: 33	1180	WMIC.exe
Token: 34	1180	WMIC.exe
Token: 35	1180	WMIC.exe
Token: 36	1180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1180	WMIC.exe
Token: SeSecurityPrivilege	1180	WMIC.exe
Token: SeTakeOwnershipPrivilege	1180	WMIC.exe
Token: SeLoadDriverPrivilege	1180	WMIC.exe
Token: SeSystemProfilePrivilege	1180	WMIC.exe
Token: SeSystemtimePrivilege	1180	WMIC.exe
Token: SeProfSingleProcessPrivilege	1180	WMIC.exe
Token: SeIncBasePriorityPrivilege	1180	WMIC.exe
Token: SeCreatePagefilePrivilege	1180	WMIC.exe
Token: SeBackupPrivilege	1180	WMIC.exe
Token: SeRestorePrivilege	1180	WMIC.exe
Token: SeShutdownPrivilege	1180	WMIC.exe
Token: SeDebugPrivilege	1180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1180	WMIC.exe
Token: SeRemoteShutdownPrivilege	1180	WMIC.exe
Token: SeUndockPrivilege	1180	WMIC.exe
Token: SeManageVolumePrivilege	1180	WMIC.exe
Token: 33	1180	WMIC.exe
Token: 34	1180	WMIC.exe
Token: 35	1180	WMIC.exe
Token: 36	1180	WMIC.exe
Token: SeBackupPrivilege	436	vssvc.exe
Token: SeRestorePrivilege	436	vssvc.exe
Token: SeAuditPrivilege	436	vssvc.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exerundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 4872 wrote to memory of 2560	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	powershell.exe
PID 4872 wrote to memory of 2560	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	powershell.exe
PID 4872 wrote to memory of 2560	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	powershell.exe
PID 4872 wrote to memory of 4848	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 4848	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 4848	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 4932	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 4932	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 4932	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 316	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 316	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 316	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 316	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 316	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 316	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 316	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 4872 wrote to memory of 316	4872	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
PID 316 wrote to memory of 3900	316	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	rundll32.exe
PID 316 wrote to memory of 3900	316	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	rundll32.exe
PID 316 wrote to memory of 3900	316	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	rundll32.exe
PID 3900 wrote to memory of 4328	3900	rundll32.exe	powershell.exe
PID 3900 wrote to memory of 4328	3900	rundll32.exe	powershell.exe
PID 3900 wrote to memory of 4328	3900	rundll32.exe	powershell.exe
PID 3900 wrote to memory of 2040	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2040	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2040	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2376	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2376	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2376	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2376	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2376	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2376	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2376	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 2376	3900	rundll32.exe	rundll32.exe
PID 2376 wrote to memory of 2572	2376	rundll32.exe	cmd.exe
PID 2376 wrote to memory of 2572	2376	rundll32.exe	cmd.exe
PID 2376 wrote to memory of 2572	2376	rundll32.exe	cmd.exe
PID 2572 wrote to memory of 1180	2572	cmd.exe	WMIC.exe
PID 2572 wrote to memory of 1180	2572	cmd.exe	WMIC.exe
PID 2572 wrote to memory of 1180	2572	cmd.exe	WMIC.exe
PID 2376 wrote to memory of 3152	2376	rundll32.exe	cmd.exe
PID 2376 wrote to memory of 3152	2376	rundll32.exe	cmd.exe
PID 2376 wrote to memory of 3152	2376	rundll32.exe	cmd.exe
PID 2376 wrote to memory of 4500	2376	rundll32.exe	cmd.exe
PID 2376 wrote to memory of 4500	2376	rundll32.exe	cmd.exe
PID 2376 wrote to memory of 4500	2376	rundll32.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
"C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HWMonitor\HWMonitor.exe"' -PropertyType 'String'
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
"C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe"
2⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
"C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe"
2⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
"C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\rundll32.exe
"C:\Users\Admin\AppData\Local\rundll32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HWMonitor\HWMonitor.exe"' -PropertyType 'String'
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Users\Admin\AppData\Local\rundll32.exe
"C:\Users\Admin\AppData\Local\rundll32.exe"
4⤵
- Executes dropped EXE
PID:2040

C:\Users\Admin\AppData\Local\rundll32.exe
"C:\Users\Admin\AppData\Local\rundll32.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
5⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
5⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
5⤵
PID:4500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe.log
Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
b95dcdafeb5ae5a6881df7746ed0dc74

SHA1
15b3b5ccb0a0f0505ca65698c890c57475cdfa33

SHA256
d98a2ecbfe74a7d00fef78a3d58785bf1a6862a2e518b2bd4eb98e429bce1dda

SHA512
bb69747aaf9de909f8df9710596cc1b7d2b732a7212ede8108af691755c4ed4ba41d1cf6426944c33f57781b2044b5d8786fd693a909a6076d14327f217a65be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yomwssix.23n.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\rundll32.exe
Filesize
49KB

MD5
c2734e516454c7af7354a7a4d25cdfa1

SHA1
ad062ffc6cc642ed47549f172e085c15e4902466

SHA256
275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97

SHA512
dc32973cbe1b12f27c9d78702f8efb307f48f521529d0ad4cd70426bfcacb697a3dd761246cc7bd40235c51d7b1bced2eeee78bd7ac82ad297c314a80d753367

Download Submit
C:\Users\Public\Desktop\README.hta
Filesize
1KB

MD5
72c1db68d8b6d084a4649a8e645b4b9b

SHA1
b2412983edbb2f85abcf091d2df8d01cb52a6116

SHA256
c3c694124e9ae89e652cd8294ff0d0c452c7185db91fc8758198ce15d83ab1ed

SHA512
77ef54064c7ed8bab1903b2d8d22942943fc0ac1757b5404e53deb3374edd97e14069741730170198e8bd7a24dba79942f6eebd26b2651c71d640b834dd41ff7

Download Submit
memory/316-11-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/316-44-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/316-14-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2560-47-0x0000000006A90000-0x0000000006B26000-memory.dmp

Filesize
600KB

Download
memory/2560-48-0x0000000006A20000-0x0000000006A3A000-memory.dmp

Filesize
104KB

Download
memory/2560-13-0x0000000004FB0000-0x0000000004FE6000-memory.dmp

Filesize
216KB

Download
memory/2560-52-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2560-49-0x0000000006B30000-0x0000000006B52000-memory.dmp

Filesize
136KB

Download
memory/2560-15-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2560-17-0x0000000005620000-0x0000000005C48000-memory.dmp

Filesize
6.2MB

Download
memory/2560-18-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2560-20-0x0000000005C80000-0x0000000005CA2000-memory.dmp

Filesize
136KB

Download
memory/2560-21-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/2560-27-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/2560-46-0x0000000006560000-0x00000000065AC000-memory.dmp

Filesize
304KB

Download
memory/2560-39-0x0000000005F60000-0x00000000062B4000-memory.dmp

Filesize
3.3MB

Download
memory/2560-45-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/4328-99-0x0000000005C30000-0x0000000005F84000-memory.dmp

Filesize
3.3MB

Download
memory/4328-196-0x00000000063A0000-0x00000000063EC000-memory.dmp

Filesize
304KB

Download
memory/4872-7-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4872-5-0x0000000005230000-0x00000000052A6000-memory.dmp

Filesize
472KB

Download
memory/4872-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/4872-9-0x00000000051C0000-0x00000000051DE000-memory.dmp

Filesize
120KB

Download
memory/4872-16-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4872-8-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4872-3-0x0000000004F60000-0x0000000004FF2000-memory.dmp

Filesize
584KB

Download
memory/4872-6-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4872-2-0x0000000005630000-0x0000000005BD4000-memory.dmp

Filesize
5.6MB

Download
memory/4872-1-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/4872-4-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download