edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf

Analysis

max time kernel
94s
max time network
119s
platform
windows10_x64
resource
win10v20210410
submitted
28/05/2021, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Size

893KB
MD5

8856669b9a76eeb19e5673db6c4491ab
SHA1

2d328721640ebb3ddeb971316141fd2b3a84ae84
SHA256

edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf
SHA512

96af5e42d4aab9ffbe10f4db0e2811d7e00ceebed7ed52b8e679164a92011bfa8eb7c33864be3b3e92358ba3b30ba87bab25cde9ee9163b325a7b542eea621e3

Score

10^/10

evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

\??\c:\teslarvng2.hta

Ransom Note

all data in your machine turned to useless binary code your databses and important files have been downloaded and will be published after 12days if not paid to return files and prevent publishing email us at : [email protected] , [email protected] (send copy to both, your id as subject) your id : xUBLMi2I tips: no one else can help you ,don't waste your business time you ask for proof that we have your data ,and you can see our old target that their data have been published if not paid after 12days Google your Campany Name and you wil see your private and custorres data in there ,happy will legal and bussiness challenges of data leak after for decryption anyone/any company offering help will get extra fee(some times even more than ours!) added to ours or simplly will scam you (dont pay us after getting test file, lie and scam you) so if you want a Intermediary chose a trusted one to avoid scams , and get your data for decryption you send a few Sample files for test before any payment we won;t be available for long DONT DELETE FILES AT c:\teslarvng2 dont play with encrypted files that will corrupt them and make unrecoverable. due raas(it means the email you talk will give percentage to devs ) to avoid scam never pay anyone without testfile (us or any dealer),never ever pay outside of this 2 emails,ONLY PAY TO THE WALLET ADDRESS YOU RECEIVE WITH DECRYPTED SAMPLE FILE ,scam can't happen if this tips are followed . use google translate (if you don't know english)

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2720	wbadmin.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\d:	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened (read-only)	\??\d:	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mshta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\ui-strings.js	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_es_135x40.svg	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\ui-strings.js	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-es_es.gif	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail.png	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_LinkNoDrop32x32.gif	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_ja.properties	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\access_output\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Photo Viewer\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\cs_get.svg	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\Media Renderer\DMR_48.png	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\ui-strings.js	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Common Files\System\ado\adovbs.inc	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CONCRETE.INF	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\en-US\wmpnscfg.exe.mui	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\List.txt	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLessThan.ps1	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-execution.xml	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations.png	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\PREVIEW.GIF	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\framework-dev.js	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\bg\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_delete_18.svg	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\MANIFEST.MF	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\AssertResume.ps1	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\THMBNAIL.PNG	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\RenameSend.wps	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\ui-strings.js	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\en_GB\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\teslarvng2.hta	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\PlayStore_icon.svg	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\ui-strings.js	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\logg.bat	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\windows\logg.bat	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4672	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
440	tasklist.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
5052	vssadmin.exe
2224	vssadmin.exe
1120	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0063003a005c00750073006500720073005c00610064006d0069006e005c0061007000700064006100740061005c006c006f00630061006c005c006d006900630072006f0073006f00660074005c00770069006e0064006f00770073005c00770065006200630061006300680065005c007600300031002e006c006f00670000000000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002\RegFiles0000 = 5c005c003f005c0063003a005c00750073006500720073005c00610064006d0069006e005c0061007000700064006100740061005c006c006f00630061006c005c006d006900630072006f0073006f00660074005c00770069006e0064006f00770073005c0075007300720063006c006100730073002e006400610074002e006c006f006700320000000000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\SessionHash = 60cd68731e259c69289854022347ec59848c1cc96704974779d64190ed810818	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002\RegFiles0000 = 5c005c003f005c0063003a005c00750073006500720073005c00610064006d0069006e005c0061007000700064006100740061005c006c006f00630061006c005c006d006900630072006f0073006f00660074005c00770069006e0064006f00770073005c0075007300720063006c006100730073002e0064006100740000000000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 75ad579425d1dea22e444ec0fb96ec2b0d16219fefda99213a9c18c8d0417247	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0004\SessionHash = 160613f53120c530cb5352bea7d006b605f0d0092f1d53a03fe6d480dabc9aa2	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mshta.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\RegFiles0000 = 5c005c003f005c0063003a005c00750073006500720073005c00610064006d0069006e005c0061007000700064006100740061005c006c006f00630061006c005c006d006900630072006f0073006f00660074005c00770069006e0064006f00770073005c00770065006200630061006300680065005c00770065006200630061006300680065007600300031002e006a0066006d0000000000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mshta.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\SessionHash = b14034dbfa5f03c459c56d4a7581ff2354fc118c7f3bdad25dfd04333d14b560	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0003\SessionHash = 7ff7af93e677d7524acb7454ad0778b4399e1d41788c7fac865db3822dc68e0e	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\Owner = 84130000f03157a2a953d701	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\Sequence = "1"	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0004\Sequence = "1"	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mshta.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = a03176d63e384f0e80939583be9a4fa7c7916fc08fc3c3c352bfa6f7069e95d8	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002\SessionHash = 8fff1e12c0b2f85da8718f6d029acbd7e5483db91fde1a96c11b1b9f76d985b8	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002\Sequence = "1"	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = e6dfae9151c7e0d1e1f0fa667b9f1da407a701bdaa3c63e20b7d5997fac5c36f	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\RegFiles0000 = 5c005c003f005c0063003a005c00700072006f006700720061006d0064006100740061005c006d006900630072006f0073006f00660074005c0064006900610067006e006f007300690073005c00650074006c006c006f00670073005c006100750074006f006c006f0067006700650072005c006100750074006f006c006f0067006700650072002d00640069006100670074007200610063006b002d006c0069007300740065006e00650072002e00650074006c0000000000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\RegFiles0000 = 5c005c003f005c0063003a005c00750073006500720073005c00610064006d0069006e005c0061007000700064006100740061005c006c006f00630061006c005c006d006900630072006f0073006f00660074005c00770069006e0064006f00770073005c0075007300720063006c006100730073002e006400610074007b00330034003300310039003900350032002d0039006100300035002d0031003100650062002d0061003100310032002d003400650062003500350038003700310036003400360064007d002e0074006d0063006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f447e7bf4356d26201ffe3baec0b5baf7e32fde68765d5158f38031ed49abd98	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0004	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002\SessionHash = 578cab8fc8512337aa401c2d39708d9e8cb0e34b087db7e98167ade41a1a96f2	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\RegFilesHash = 862e67a61a3b8372efddb2f063385452c30a541613edcb11479d2aab9abebdb2	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\RegFilesHash = 01444e2d39b9d7af2a02bf426ba7cbe0cee610379120c5b9a5f18fb96d3831e3	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002\Owner = 84130000f03157a2a953d701	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0004\RegFilesHash = 69d68c5ba325e98bf81f4b21e9243eb625c1bff6daa968e70982109303c67ef6	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0063003a005c00700072006f006700720061006d0064006100740061005c006d006900630072006f0073006f00660074005c00770069006e0064006f00770073005c007700660070005c0077006600700064006900610067002e00650074006c0000000000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0004\SessionHash = 566fc0b23e112a6b1ab8384f72b6cc32359011f123a161147f94fe55d623883e	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0004	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mshta.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 7dd09a846aa74d54cf092ec6035ce0d0b1be88aa153bfebbe3825eae62eb8028	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\RegFilesHash = 601b094bbedd0965921ed227bc8da94e961208ca2f9e1b3b2a7c960604ec4feb	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002\RegFiles0000 = 5c005c003f005c0063003a005c00700072006f006700720061006d0064006100740061005c006d006900630072006f0073006f00660074005c006e006500740077006f0072006b005c0064006f0077006e006c006f0061006400650072005c0071006d00670072002e006400620000000000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0003\RegFiles0000 = 5c005c003f005c0063003a005c00700072006f006700720061006d0064006100740061005c006d006900630072006f0073006f00660074005c006e006500740077006f0072006b005c0064006f0077006e006c006f0061006400650072005c0071006d00670072002e006a0066006d0000000000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0004\RegFilesHash = 826740f796561c5d01864928b5fdf3f5d9f1c4bf0d08f9849d7802b0e0c126b5	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\RegFilesHash = 9348c1dc7d2a357f6df3734297990ca6f4d45f3d7db9242b8d06727d49d68cc3	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 9cc1493bb4b0e10fd50748f14321b7ed148726c5d24d2cf0e9ce18ac8ee1fbc4	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\SessionHash = 866678a7746f73d3feb3ddb52f72746a3ba5876abf9bc448146500af0bb887ce	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0063003a005c00750073006500720073005c00610064006d0069006e005c0061007000700064006100740061005c006c006f00630061006c005c006d006900630072006f0073006f00660074005c00770069006e0064006f00770073005c00770065006200630061006300680065005c00770065006200630061006300680065007600300031002e0064006100740000000000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0003\Owner = 84130000f03157a2a953d701	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0004\RegFiles0000 = 5c005c003f005c0063003a005c00750073006500720073005c00610064006d0069006e005c0061007000700064006100740061005c006c006f00630061006c005c006d006900630072006f0073006f00660074005c00770069006e0064006f00770073005c0075007300720063006c006100730073002e006400610074007b00330034003300310039003900350032002d0039006100300035002d0031003100650062002d0061003100310032002d003400650062003500350038003700310036003400360064007d002e0074006d002e0062006c00660000000000	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = e840cef86e19bb2d504034a021b77fc346698c2021e6681240485c372578ad92	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 84130000f03157a2a953d701	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0003\Sequence = "1"	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3740	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeRestorePrivilege	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeBackupPrivilege	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeTakeOwnershipPrivilege	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeBackupPrivilege	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeAuditPrivilege	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeSecurityPrivilege	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeBackupPrivilege	5116	vssvc.exe
Token: SeRestorePrivilege	5116	vssvc.exe
Token: SeAuditPrivilege	5116	vssvc.exe
Token: SeDebugPrivilege	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeRestorePrivilege	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeBackupPrivilege	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeTakeOwnershipPrivilege	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeBackupPrivilege	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeAuditPrivilege	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeSecurityPrivilege	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeAssignPrimaryTokenPrivilege	4116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4116	WMIC.exe
Token: SeSecurityPrivilege	4116	WMIC.exe
Token: SeTakeOwnershipPrivilege	4116	WMIC.exe
Token: SeLoadDriverPrivilege	4116	WMIC.exe
Token: SeSystemtimePrivilege	4116	WMIC.exe
Token: SeBackupPrivilege	4116	WMIC.exe
Token: SeRestorePrivilege	4116	WMIC.exe
Token: SeShutdownPrivilege	4116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4116	WMIC.exe
Token: SeUndockPrivilege	4116	WMIC.exe
Token: SeManageVolumePrivilege	4116	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4116	WMIC.exe
Token: SeSecurityPrivilege	4116	WMIC.exe
Token: SeTakeOwnershipPrivilege	4116	WMIC.exe
Token: SeLoadDriverPrivilege	4116	WMIC.exe
Token: SeSystemtimePrivilege	4116	WMIC.exe
Token: SeBackupPrivilege	4116	WMIC.exe
Token: SeRestorePrivilege	4116	WMIC.exe
Token: SeShutdownPrivilege	4116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4116	WMIC.exe
Token: SeUndockPrivilege	4116	WMIC.exe
Token: SeManageVolumePrivilege	4116	WMIC.exe
Token: SeBackupPrivilege	4276	wbengine.exe
Token: SeRestorePrivilege	4276	wbengine.exe
Token: SeSecurityPrivilege	4276	wbengine.exe
Token: SeDebugPrivilege	440	tasklist.exe
Token: SeShutdownPrivilege	2400	shutdown.exe
Token: SeRemoteShutdownPrivilege	2400	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
668	LogonUI.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 316	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	75
PID 4060 wrote to memory of 316	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	75
PID 4060 wrote to memory of 3360	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	81
PID 4060 wrote to memory of 3360	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	81
PID 4060 wrote to memory of 1120	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	84
PID 4060 wrote to memory of 1120	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	84
PID 4060 wrote to memory of 4888	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	87
PID 4060 wrote to memory of 4888	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	87
PID 4060 wrote to memory of 4944	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	89
PID 4060 wrote to memory of 4944	4060	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	89
PID 4996 wrote to memory of 5040	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	92
PID 4996 wrote to memory of 5040	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	92
PID 4996 wrote to memory of 5052	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	93
PID 4996 wrote to memory of 5052	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	93
PID 4996 wrote to memory of 200	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	101
PID 4996 wrote to memory of 200	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	101
PID 4996 wrote to memory of 2224	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	105
PID 4996 wrote to memory of 2224	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	105
PID 4996 wrote to memory of 2720	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	104
PID 4996 wrote to memory of 2720	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	104
PID 4996 wrote to memory of 4116	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	106
PID 4996 wrote to memory of 4116	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	106
PID 4996 wrote to memory of 4448	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	113
PID 4996 wrote to memory of 4448	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	113
PID 4996 wrote to memory of 4460	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	114
PID 4996 wrote to memory of 4460	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	114
PID 4996 wrote to memory of 4476	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	115
PID 4996 wrote to memory of 4476	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	115
PID 4996 wrote to memory of 4500	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	117
PID 4996 wrote to memory of 4500	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	117
PID 4996 wrote to memory of 4528	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	121
PID 4996 wrote to memory of 4528	4996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	121
PID 4476 wrote to memory of 4672	4476	cmd.exe	125
PID 4476 wrote to memory of 4672	4476	cmd.exe	125
PID 4500 wrote to memory of 440	4500	cmd.exe	122
PID 4500 wrote to memory of 440	4500	cmd.exe	122
PID 4528 wrote to memory of 3740	4528	cmd.exe	123
PID 4528 wrote to memory of 3740	4528	cmd.exe	123
PID 4500 wrote to memory of 2320	4500	cmd.exe	124
PID 4500 wrote to memory of 2320	4500	cmd.exe	124
PID 4476 wrote to memory of 2292	4476	cmd.exe	126
PID 4476 wrote to memory of 2292	4476	cmd.exe	126
PID 4500 wrote to memory of 2400	4500	cmd.exe	129
PID 4500 wrote to memory of 2400	4500	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
"C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060
- C:\windows\system32\sc.exe
  "C:\windows\system32\sc.exe" create defragsrv binpath= "C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe" start= auto
  2⤵
  PID:316
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  PID:3360
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1120
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" create defragsrv binpath= "C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe" start= auto
  2⤵
  PID:4888
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" start defragsrv
  2⤵
  PID:4944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  PID:5040
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:5052
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" delete defragsrv
  2⤵
  PID:200
- \??\c:\windows\system32\wbadmin.exe
  "c:\windows\system32\wbadmin.exe" delete catalog -quiet
  2⤵
  - Deletes backup catalog
  PID:2720
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2224
- \??\c:\Windows\System32\wbem\WMIC.exe
  "c:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- \??\c:\windows\system32\mshta.exe
  "c:\windows\system32\mshta.exe" "c:\teslarvng2.hta"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4448
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  PID:4460
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c SCHTASKS /create /tn logg /sc MINUTE /mo 10 /tr "c:\windows\logg.bat" /ru "NT AUTHORITY\SYSTEM"&&SCHTASKS /run /tn logg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /create /tn logg /sc MINUTE /mo 10 /tr "c:\windows\logg.bat" /ru "NT AUTHORITY\SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:4672
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /run /tn logg
    3⤵
    PID:2292
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c "C:\Windows\TEMP\wait.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:440
- - C:\Windows\system32\find.exe
    find /i "SDELETE.exe"
    3⤵
    PID:2320
- - C:\Windows\system32\shutdown.exe
    shutdown /p /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -w 1000 -n 30 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -w 1000 -n 30
    3⤵
    - Runs ping.exe
    PID:3740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4364

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4424

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "c:\windows\logg.bat"
1⤵
PID:4692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad6055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:668