Malware Analysis Report

2025-01-02 15:39

Sample ID 210528-5ndfbcn3mx
Target 9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e
SHA256 9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e
Tags
evasion ransomware trojan avaddon
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e

Threat Level: Known bad

The file 9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e was found to be: Known bad.

Malicious Activity Summary

evasion ransomware trojan avaddon

Avaddon Ransomware

Avaddon family

Avaddon

UAC bypass

Deletes shadow copies

Executes dropped EXE

Modifies extensions of user files

Enumerates connected drives

Drops desktop.ini file(s)

Checks whether UAC is enabled

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-28 10:50

Signatures

Avaddon Ransomware

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Avaddon family

avaddon

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-28 10:50

Reported

2021-05-28 10:53

Platform

win10v20210410

Max time kernel

138s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe"

Signatures

UAC bypass

evasion trojan

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\UnblockStep.png => C:\Users\Admin\Pictures\UnblockStep.png.aecbdCDcBe C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\ReadEnable.tif => C:\Users\Admin\Pictures\ReadEnable.tif.aecbdCDcBe C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\CompareMerge.raw => C:\Users\Admin\Pictures\CompareMerge.raw.aecbdCDcBe C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\HideResize.raw => C:\Users\Admin\Pictures\HideResize.raw.aecbdCDcBe C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReceiveWait.tiff C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandInitialize.tif => C:\Users\Admin\Pictures\ExpandInitialize.tif.aecbdCDcBe C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveWait.tiff => C:\Users\Admin\Pictures\ReceiveWait.tiff.aecbdCDcBe C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\RestartComplete.tif => C:\Users\Admin\Pictures\RestartComplete.tif.aecbdCDcBe C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1820 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1820 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1892 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3544 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3544 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 700 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 700 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 700 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 4132 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe

"C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

Network

Country Destination Domain Proto
N/A 10.10.0.1:445 tcp
N/A 10.10.0.1:139 tcp
N/A 10.10.0.21:50569 tcp
N/A 10.10.0.10:445 tcp
N/A 10.10.0.11:445 tcp
N/A 10.10.0.37:62642 tcp
N/A 10.10.0.35:60986 tcp
N/A 10.10.0.41:63299 tcp
N/A 10.10.0.16:445 tcp
N/A 10.10.0.18:445 tcp
N/A 10.10.0.21:445 tcp
N/A 10.10.0.22:445 tcp
N/A 10.10.0.23:445 tcp
N/A 10.10.0.11:59397 tcp
N/A 10.10.0.29:445 tcp
N/A 10.10.0.23:50706 tcp
N/A 10.10.0.36:445 tcp
N/A 10.10.0.39:445 tcp
N/A 10.10.0.18:51941 tcp
N/A 10.10.0.22:64467 tcp
N/A 10.10.0.10:64416 tcp

Files

memory/1820-114-0x0000000000000000-mapping.dmp

memory/2356-115-0x0000000000000000-mapping.dmp

memory/2792-116-0x0000000000000000-mapping.dmp

memory/3992-117-0x0000000000000000-mapping.dmp

memory/700-119-0x0000000000000000-mapping.dmp

memory/3496-118-0x0000000000000000-mapping.dmp

memory/3544-120-0x0000000000000000-mapping.dmp

memory/3860-121-0x0000000000000000-mapping.dmp

memory/2808-123-0x0000000000000000-mapping.dmp

memory/3936-125-0x0000000000000000-mapping.dmp

memory/1688-124-0x0000000000000000-mapping.dmp

memory/1676-122-0x0000000000000000-mapping.dmp

memory/4132-127-0x0000000000000000-mapping.dmp

memory/4080-126-0x0000000000000000-mapping.dmp

memory/4196-128-0x0000000000000000-mapping.dmp

memory/4304-130-0x0000000000000000-mapping.dmp

memory/4252-129-0x0000000000000000-mapping.dmp

memory/4400-132-0x0000000000000000-mapping.dmp

memory/4408-133-0x0000000000000000-mapping.dmp

memory/4360-131-0x0000000000000000-mapping.dmp

memory/4516-134-0x0000000000000000-mapping.dmp

memory/4624-135-0x0000000000000000-mapping.dmp

memory/4652-136-0x0000000000000000-mapping.dmp

memory/4684-137-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-28 10:50

Reported

2021-05-28 10:53

Platform

win7v20210410

Max time kernel

130s

Max time network

14s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe"

Signatures

Avaddon

ransomware avaddon

Avaddon Ransomware

ransomware
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\BackupAdd.tiff C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\DebugTrace.png => C:\Users\Admin\Pictures\DebugTrace.png.bEaaeEdDcA C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeSearch.tiff => C:\Users\Admin\Pictures\InvokeSearch.tiff.bEaaeEdDcA C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\RedoTrace.png => C:\Users\Admin\Pictures\RedoTrace.png.bEaaeEdDcA C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\BackupAdd.tiff => C:\Users\Admin\Pictures\BackupAdd.tiff.bEaaeEdDcA C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\AssertOptimize.png => C:\Users\Admin\Pictures\AssertOptimize.png.bEaaeEdDcA C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\GrantUndo.raw => C:\Users\Admin\Pictures\GrantUndo.raw.bEaaeEdDcA C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File renamed C:\Users\Admin\Pictures\RestartDisable.tif => C:\Users\Admin\Pictures\RestartDisable.tif.bEaaeEdDcA C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened for modification C:\Users\Admin\Pictures\InvokeSearch.tiff C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1748 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1748 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1748 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1116 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 272 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 272 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 272 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 272 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1116 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 784 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 784 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 784 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1116 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe

"C:\Users\Admin\AppData\Local\Temp\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\taskeng.exe

taskeng.exe {DABA8860-D4BF-4DC5-B006-F56125B85708} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe

Network

N/A

Files

memory/1116-60-0x00000000767B1000-0x00000000767B3000-memory.dmp

memory/1748-61-0x0000000000000000-mapping.dmp

memory/1840-62-0x0000000000000000-mapping.dmp

memory/1784-63-0x0000000000000000-mapping.dmp

memory/1384-64-0x0000000000000000-mapping.dmp

memory/1664-65-0x0000000000000000-mapping.dmp

memory/332-66-0x0000000000000000-mapping.dmp

memory/784-67-0x0000000000000000-mapping.dmp

memory/272-68-0x0000000000000000-mapping.dmp

memory/288-69-0x0000000000000000-mapping.dmp

memory/596-70-0x0000000000000000-mapping.dmp

memory/1168-71-0x0000000000000000-mapping.dmp

memory/1072-72-0x0000000000000000-mapping.dmp

memory/524-73-0x0000000000000000-mapping.dmp

memory/1572-74-0x0000000000000000-mapping.dmp

memory/868-75-0x0000000000000000-mapping.dmp

memory/324-76-0x0000000000000000-mapping.dmp

memory/1760-77-0x0000000000000000-mapping.dmp

memory/1724-78-0x0000000000000000-mapping.dmp

memory/1496-79-0x0000000000000000-mapping.dmp

memory/1732-80-0x0000000000000000-mapping.dmp

memory/1548-81-0x0000000000000000-mapping.dmp

memory/760-82-0x0000000000000000-mapping.dmp

memory/1200-83-0x0000000000000000-mapping.dmp

memory/1532-84-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe

MD5 c6e29cbcd8931882784168092441b538
SHA1 cf530ed1b8eecefb1f3418c8e057b697b43279f6
SHA256 9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e
SHA512 5b8dd08d024522799183289994ec4ffd898e4dc71dea2a30a7eecef716d27b2b59f30c93cc41090278c9d470f796d24b950a1add6a97b52d3d0e3557cce32497

memory/1796-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe

MD5 c6e29cbcd8931882784168092441b538
SHA1 cf530ed1b8eecefb1f3418c8e057b697b43279f6
SHA256 9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e
SHA512 5b8dd08d024522799183289994ec4ffd898e4dc71dea2a30a7eecef716d27b2b59f30c93cc41090278c9d470f796d24b950a1add6a97b52d3d0e3557cce32497

memory/1868-89-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e.exe

MD5 c6e29cbcd8931882784168092441b538
SHA1 cf530ed1b8eecefb1f3418c8e057b697b43279f6
SHA256 9911c4c87ae1f6f75f60e91ba2eff56531e097efa244bc0624e2f939398f1b8e
SHA512 5b8dd08d024522799183289994ec4ffd898e4dc71dea2a30a7eecef716d27b2b59f30c93cc41090278c9d470f796d24b950a1add6a97b52d3d0e3557cce32497