medusalocker | 4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4

Analysis

max time kernel
132s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
29-03-2021 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
Size

678KB
MD5

82143033173cbeee7f559002fb8ab8c5
SHA1

e03aedb8b9770f899a29f1939636db43825e95cf
SHA256

4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4
SHA512

77377c732c3fb944f56170e6382fbc25e8bbe1f2ffd42290c52da5f33f7301272c67356843464c89bba71b8c45e3d4222fe70bb7a1f80bbe89b3ce2dc498dcf1

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RenameGrant.raw => C:\Users\Admin\Pictures\RenameGrant.raw.nett	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File renamed	C:\Users\Admin\Pictures\RenameReset.tif => C:\Users\Admin\Pictures\RenameReset.tif.nett	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectUninstall.tiff	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File renamed	C:\Users\Admin\Pictures\UnprotectUninstall.tiff => C:\Users\Admin\Pictures\UnprotectUninstall.tiff.nett	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

description	ioc	Process
File opened (read-only)	\??\F:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\G:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\H:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\S:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\W:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\X:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\E:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\K:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\N:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\O:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\P:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\Q:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\U:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\A:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\B:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\L:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\Z:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\I:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\J:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\M:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\R:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\T:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\V:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
File opened (read-only)	\??\Y:	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid	Process
3924	vssadmin.exe
1488	vssadmin.exe
4056	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

pid	Process
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exewmic.exewmic.exewmic.exe

description	pid	Process
Token: SeBackupPrivilege	2684	vssvc.exe
Token: SeRestorePrivilege	2684	vssvc.exe
Token: SeAuditPrivilege	2684	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2328	wmic.exe
Token: SeSecurityPrivilege	2328	wmic.exe
Token: SeTakeOwnershipPrivilege	2328	wmic.exe
Token: SeLoadDriverPrivilege	2328	wmic.exe
Token: SeSystemProfilePrivilege	2328	wmic.exe
Token: SeSystemtimePrivilege	2328	wmic.exe
Token: SeProfSingleProcessPrivilege	2328	wmic.exe
Token: SeIncBasePriorityPrivilege	2328	wmic.exe
Token: SeCreatePagefilePrivilege	2328	wmic.exe
Token: SeBackupPrivilege	2328	wmic.exe
Token: SeRestorePrivilege	2328	wmic.exe
Token: SeShutdownPrivilege	2328	wmic.exe
Token: SeDebugPrivilege	2328	wmic.exe
Token: SeSystemEnvironmentPrivilege	2328	wmic.exe
Token: SeRemoteShutdownPrivilege	2328	wmic.exe
Token: SeUndockPrivilege	2328	wmic.exe
Token: SeManageVolumePrivilege	2328	wmic.exe
Token: 33	2328	wmic.exe
Token: 34	2328	wmic.exe
Token: 35	2328	wmic.exe
Token: 36	2328	wmic.exe
Token: SeIncreaseQuotaPrivilege	976	wmic.exe
Token: SeSecurityPrivilege	976	wmic.exe
Token: SeTakeOwnershipPrivilege	976	wmic.exe
Token: SeLoadDriverPrivilege	976	wmic.exe
Token: SeSystemProfilePrivilege	976	wmic.exe
Token: SeSystemtimePrivilege	976	wmic.exe
Token: SeProfSingleProcessPrivilege	976	wmic.exe
Token: SeIncBasePriorityPrivilege	976	wmic.exe
Token: SeCreatePagefilePrivilege	976	wmic.exe
Token: SeBackupPrivilege	976	wmic.exe
Token: SeRestorePrivilege	976	wmic.exe
Token: SeShutdownPrivilege	976	wmic.exe
Token: SeDebugPrivilege	976	wmic.exe
Token: SeSystemEnvironmentPrivilege	976	wmic.exe
Token: SeRemoteShutdownPrivilege	976	wmic.exe
Token: SeUndockPrivilege	976	wmic.exe
Token: SeManageVolumePrivilege	976	wmic.exe
Token: 33	976	wmic.exe
Token: 34	976	wmic.exe
Token: 35	976	wmic.exe
Token: 36	976	wmic.exe
Token: SeIncreaseQuotaPrivilege	1884	wmic.exe
Token: SeSecurityPrivilege	1884	wmic.exe
Token: SeTakeOwnershipPrivilege	1884	wmic.exe
Token: SeLoadDriverPrivilege	1884	wmic.exe
Token: SeSystemProfilePrivilege	1884	wmic.exe
Token: SeSystemtimePrivilege	1884	wmic.exe
Token: SeProfSingleProcessPrivilege	1884	wmic.exe
Token: SeIncBasePriorityPrivilege	1884	wmic.exe
Token: SeCreatePagefilePrivilege	1884	wmic.exe
Token: SeBackupPrivilege	1884	wmic.exe
Token: SeRestorePrivilege	1884	wmic.exe
Token: SeShutdownPrivilege	1884	wmic.exe
Token: SeDebugPrivilege	1884	wmic.exe
Token: SeSystemEnvironmentPrivilege	1884	wmic.exe
Token: SeRemoteShutdownPrivilege	1884	wmic.exe
Token: SeUndockPrivilege	1884	wmic.exe
Token: SeManageVolumePrivilege	1884	wmic.exe
Token: 33	1884	wmic.exe
Token: 34	1884	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

description	pid	Process	procid_target
PID 4032 wrote to memory of 3924	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	75
PID 4032 wrote to memory of 3924	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	75
PID 4032 wrote to memory of 3924	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	75
PID 4032 wrote to memory of 2328	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	78
PID 4032 wrote to memory of 2328	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	78
PID 4032 wrote to memory of 2328	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	78
PID 4032 wrote to memory of 1488	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	80
PID 4032 wrote to memory of 1488	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	80
PID 4032 wrote to memory of 1488	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	80
PID 4032 wrote to memory of 976	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	82
PID 4032 wrote to memory of 976	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	82
PID 4032 wrote to memory of 976	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	82
PID 4032 wrote to memory of 4056	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	84
PID 4032 wrote to memory of 4056	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	84
PID 4032 wrote to memory of 4056	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	84
PID 4032 wrote to memory of 1884	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	86
PID 4032 wrote to memory of 1884	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	86
PID 4032 wrote to memory of 1884	4032	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe	86

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe

C:\Users\Admin\AppData\Local\Temp\4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe
"C:\Users\Admin\AppData\Local\Temp\4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4032
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3924
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1488
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4056
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1884