Malware Analysis Report

2025-01-02 15:35

Sample ID 210528-s1w3th9nen
Target 75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f
SHA256 75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f
Tags
ransomware avaddon evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f

Threat Level: Known bad

The file 75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f was found to be: Known bad.

Malicious Activity Summary

ransomware avaddon evasion trojan

Avaddon family

UAC bypass

Avaddon Ransomware

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Checks whether UAC is enabled

Drops desktop.ini file(s)

Enumerates physical storage devices

System policy modification

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-28 10:50

Signatures

Avaddon Ransomware

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Avaddon family

avaddon

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-28 10:50

Reported

2021-05-28 10:53

Platform

win7v20210410

Max time kernel

90s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe"

Signatures

UAC bypass

evasion trojan

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\InitializeStep.tif => C:\Users\Admin\Pictures\InitializeStep.tif.accABDDace C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened for modification C:\Users\Admin\Pictures\RemoveStart.tiff C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File renamed C:\Users\Admin\Pictures\RemoveStart.tiff => C:\Users\Admin\Pictures\RemoveStart.tiff.accABDDace C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1964 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1964 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1964 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2004 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 324 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 324 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 324 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2004 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1656 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1656 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1656 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2004 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe

"C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

Network

N/A

Files

memory/2004-59-0x00000000765F1000-0x00000000765F3000-memory.dmp

memory/1964-60-0x0000000000000000-mapping.dmp

memory/1768-61-0x0000000000000000-mapping.dmp

memory/1792-62-0x0000000000000000-mapping.dmp

memory/784-63-0x0000000000000000-mapping.dmp

memory/316-65-0x0000000000000000-mapping.dmp

memory/1700-64-0x0000000000000000-mapping.dmp

memory/324-66-0x0000000000000000-mapping.dmp

memory/1656-67-0x0000000000000000-mapping.dmp

memory/396-68-0x0000000000000000-mapping.dmp

memory/676-70-0x0000000000000000-mapping.dmp

memory/472-69-0x0000000000000000-mapping.dmp

memory/1468-71-0x0000000000000000-mapping.dmp

memory/1068-72-0x0000000000000000-mapping.dmp

memory/852-73-0x0000000000000000-mapping.dmp

memory/1996-74-0x0000000000000000-mapping.dmp

memory/344-75-0x0000000000000000-mapping.dmp

memory/1708-76-0x0000000000000000-mapping.dmp

memory/1080-77-0x0000000000000000-mapping.dmp

memory/340-78-0x0000000000000000-mapping.dmp

memory/1092-79-0x0000000000000000-mapping.dmp

memory/296-80-0x0000000000000000-mapping.dmp

memory/484-81-0x0000000000000000-mapping.dmp

memory/1704-82-0x0000000000000000-mapping.dmp

memory/324-83-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-28 10:50

Reported

2021-05-28 10:53

Platform

win10v20210410

Max time kernel

119s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe"

Signatures

UAC bypass

evasion trojan

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ReceiveSuspend.tiff => C:\Users\Admin\Pictures\ReceiveSuspend.tiff.eCeDadbe C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveConvertTo.crw => C:\Users\Admin\Pictures\ResolveConvertTo.crw.eCeDadbe C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File renamed C:\Users\Admin\Pictures\UndoShow.tif => C:\Users\Admin\Pictures\UndoShow.tif.eCeDadbe C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File renamed C:\Users\Admin\Pictures\TestReceive.tif => C:\Users\Admin\Pictures\TestReceive.tif.eCeDadbe C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File renamed C:\Users\Admin\Pictures\EditImport.raw => C:\Users\Admin\Pictures\EditImport.raw.eCeDadbe C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandConnect.tif => C:\Users\Admin\Pictures\ExpandConnect.tif.eCeDadbe C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReceiveSuspend.tiff C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3400 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3400 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2232 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 4256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3564 wrote to memory of 4256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3564 wrote to memory of 4256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2232 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2120 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2120 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1916 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe

"C:\Users\Admin\AppData\Local\Temp\75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

Network

Country Destination Domain Proto
N/A 10.10.0.1:445 tcp
N/A 10.10.0.35:60982 tcp
N/A 10.10.0.1:139 tcp
N/A 10.10.0.41:63295 tcp
N/A 10.10.0.11:59392 tcp
N/A 10.10.0.23:50702 tcp
N/A 10.10.0.34:51734 tcp
N/A 10.10.0.10:445 tcp
N/A 10.10.0.11:445 tcp
N/A 10.10.0.13:445 tcp
N/A 10.10.0.16:445 tcp
N/A 10.10.0.22:445 tcp
N/A 10.10.0.23:445 tcp
N/A 10.10.0.22:64463 tcp
N/A 10.10.0.10:64411 tcp
N/A 10.10.0.29:445 tcp
N/A 10.10.0.34:445 tcp
N/A 10.10.0.13:61829 tcp
N/A 10.10.0.39:445 tcp
N/A 10.10.0.20:58211 tcp

Files

memory/3400-114-0x0000000000000000-mapping.dmp

memory/3916-116-0x0000000000000000-mapping.dmp

memory/216-115-0x0000000000000000-mapping.dmp

memory/3120-117-0x0000000000000000-mapping.dmp

memory/736-118-0x0000000000000000-mapping.dmp

memory/1424-121-0x0000000000000000-mapping.dmp

memory/2120-120-0x0000000000000000-mapping.dmp

memory/380-122-0x0000000000000000-mapping.dmp

memory/3564-119-0x0000000000000000-mapping.dmp

memory/212-123-0x0000000000000000-mapping.dmp

memory/372-124-0x0000000000000000-mapping.dmp

memory/1916-125-0x0000000000000000-mapping.dmp

memory/4104-126-0x0000000000000000-mapping.dmp

memory/4172-128-0x0000000000000000-mapping.dmp

memory/4160-127-0x0000000000000000-mapping.dmp

memory/4216-129-0x0000000000000000-mapping.dmp

memory/4284-131-0x0000000000000000-mapping.dmp

memory/4336-132-0x0000000000000000-mapping.dmp

memory/4256-130-0x0000000000000000-mapping.dmp

memory/4380-133-0x0000000000000000-mapping.dmp

memory/4556-134-0x0000000000000000-mapping.dmp

memory/4584-135-0x0000000000000000-mapping.dmp

memory/4620-136-0x0000000000000000-mapping.dmp

memory/4712-137-0x0000000000000000-mapping.dmp