c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc

Analysis

max time kernel
31s
max time network
43s
platform
windows7_x64
resource
win7v20210410
submitted
08/08/2021, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
Size

1.2MB
MD5

e0ae997e515ce9689eac7e2d74035e29
SHA1

a0f28890dfe66a158771ed70745ed1efbde91427
SHA256

c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc
SHA512

4d7cacd97c519c2324b20ec361d065b02261f34e1aa702fbd5f537ba07f9f969ed35fe014f93988f7fa90b89fedf520b926808c28d07daf95fd4fd580d51c4e0

Score

9^/10

evasion persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
664	bcdedit.exe
1872	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
364	wbadmin.exe
1696	wbadmin.exe

Drops file in Drivers directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\services.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ProtectNew.crw.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\StepCompare.png => C:\Users\Admin\Pictures\StepCompare.png.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StepCompare.png.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\InitializeExport.raw => C:\Users\Admin\Pictures\InitializeExport.raw.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\InitializeExport.raw.inprocess => C:\Users\Admin\Pictures\InitializeExport.raw.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeExport.raw.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\ProtectNew.crw => C:\Users\Admin\Pictures\ProtectNew.crw.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectNew.crw.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\StepCompare.png.inprocess => C:\Users\Admin\Pictures\StepCompare.png.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeExport.raw.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\ProtectNew.crw.inprocess => C:\Users\Admin\Pictures\ProtectNew.crw.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StepCompare.png.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Deletes itself 1 IoCs

pid	Process
1380	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe\" e"	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Enumerates connected drives 3 TTPs 41 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\A:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\G:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\Z:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\Q:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\V:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\E:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\M:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\D:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\I:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\B:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\F:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\K:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\R:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\W:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\N:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\T:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\Y:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\J:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\X:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\S:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\U:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\L:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\O:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\P:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\50fc4233-1ec2-41e2-82c7-33fdf44fd413.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\50fc4233-1ec2-41e2-82c7-33fdf44fd413	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\DEFAULT	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\DEFAULT	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SOFTWARE	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\SECURITY	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SYSTEM	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\LogFiles\Scm\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\7159d68a-652d-40c5-8ef8-48cf3dd69866.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\config\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\SAM	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\SOFTWARE	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\7159d68a-652d-40c5-8ef8-48cf3dd69866.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SECURITY	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\BCD-Template	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\SYSTEM	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\50fc4233-1ec2-41e2-82c7-33fdf44fd413.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SAM	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\Microsoft\Protect\S-1-5-18\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\da266c6b-fa73-4f51-a7eb-a0fd3aba48c6	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\config\RegBack\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Damascus	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Perth.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\WET.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sitka	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yellowknife.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Simferopol.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boise.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Sydney	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Reunion.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\PST8PDT.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Chagos.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\COPYRIGHT.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ho_Chi_Minh.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Irkutsk	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Cocos	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dubai.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chicago	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tehran.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Monterrey	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Accra	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Atikokan.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Anchorage	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Madrid.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MST7MDT.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Thule.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th0	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_0	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\Boot\DVD\EFI\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th1	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_3	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Panther\setupinfo	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb0	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\dewindow	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb2	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb0	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\enwindow	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb1	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th2	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb1	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_0	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_2	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_2	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File created	C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\ehome\CreateDisc\Components\tables\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb2	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th0	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th1	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th2	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\Boot\DVD\PCAT\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
436	vssadmin.exe
1740	vssadmin.exe
2020	vssadmin.exe
1432	vssadmin.exe
1688	vssadmin.exe
1048	vssadmin.exe
740	vssadmin.exe
616	vssadmin.exe
1608	vssadmin.exe
1308	vssadmin.exe
1516	vssadmin.exe
916	vssadmin.exe
240	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeBackupPrivilege	1248	vssvc.exe
Token: SeRestorePrivilege	1248	vssvc.exe
Token: SeAuditPrivilege	1248	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1644	wmic.exe
Token: SeSecurityPrivilege	1644	wmic.exe
Token: SeTakeOwnershipPrivilege	1644	wmic.exe
Token: SeLoadDriverPrivilege	1644	wmic.exe
Token: SeSystemProfilePrivilege	1644	wmic.exe
Token: SeSystemtimePrivilege	1644	wmic.exe
Token: SeProfSingleProcessPrivilege	1644	wmic.exe
Token: SeIncBasePriorityPrivilege	1644	wmic.exe
Token: SeCreatePagefilePrivilege	1644	wmic.exe
Token: SeBackupPrivilege	1644	wmic.exe
Token: SeRestorePrivilege	1644	wmic.exe
Token: SeShutdownPrivilege	1644	wmic.exe
Token: SeDebugPrivilege	1644	wmic.exe
Token: SeSystemEnvironmentPrivilege	1644	wmic.exe
Token: SeRemoteShutdownPrivilege	1644	wmic.exe
Token: SeUndockPrivilege	1644	wmic.exe
Token: SeManageVolumePrivilege	1644	wmic.exe
Token: 33	1644	wmic.exe
Token: 34	1644	wmic.exe
Token: 35	1644	wmic.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2020	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	26
PID 1820 wrote to memory of 2020	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	26
PID 1820 wrote to memory of 2020	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	26
PID 1820 wrote to memory of 1308	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	30
PID 1820 wrote to memory of 1308	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	30
PID 1820 wrote to memory of 1308	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	30
PID 1820 wrote to memory of 1432	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	32
PID 1820 wrote to memory of 1432	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	32
PID 1820 wrote to memory of 1432	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	32
PID 1820 wrote to memory of 1688	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	34
PID 1820 wrote to memory of 1688	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	34
PID 1820 wrote to memory of 1688	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	34
PID 1820 wrote to memory of 1048	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	36
PID 1820 wrote to memory of 1048	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	36
PID 1820 wrote to memory of 1048	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	36
PID 1820 wrote to memory of 1516	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	38
PID 1820 wrote to memory of 1516	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	38
PID 1820 wrote to memory of 1516	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	38
PID 1820 wrote to memory of 740	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	40
PID 1820 wrote to memory of 740	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	40
PID 1820 wrote to memory of 740	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	40
PID 1820 wrote to memory of 616	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	42
PID 1820 wrote to memory of 616	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	42
PID 1820 wrote to memory of 616	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	42
PID 1820 wrote to memory of 916	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	44
PID 1820 wrote to memory of 916	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	44
PID 1820 wrote to memory of 916	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	44
PID 1820 wrote to memory of 436	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	46
PID 1820 wrote to memory of 436	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	46
PID 1820 wrote to memory of 436	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	46
PID 1820 wrote to memory of 240	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	48
PID 1820 wrote to memory of 240	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	48
PID 1820 wrote to memory of 240	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	48
PID 1820 wrote to memory of 1740	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	50
PID 1820 wrote to memory of 1740	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	50
PID 1820 wrote to memory of 1740	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	50
PID 1820 wrote to memory of 1608	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	52
PID 1820 wrote to memory of 1608	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	52
PID 1820 wrote to memory of 1608	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	52
PID 1820 wrote to memory of 664	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	56
PID 1820 wrote to memory of 664	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	56
PID 1820 wrote to memory of 664	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	56
PID 1820 wrote to memory of 1872	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	58
PID 1820 wrote to memory of 1872	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	58
PID 1820 wrote to memory of 1872	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	58
PID 1820 wrote to memory of 364	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	60
PID 1820 wrote to memory of 364	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	60
PID 1820 wrote to memory of 364	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	60
PID 1820 wrote to memory of 1696	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	62
PID 1820 wrote to memory of 1696	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	62
PID 1820 wrote to memory of 1696	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	62
PID 1820 wrote to memory of 1644	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	64
PID 1820 wrote to memory of 1644	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	64
PID 1820 wrote to memory of 1644	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	64
PID 1820 wrote to memory of 1380	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	69
PID 1820 wrote to memory of 1380	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	69
PID 1820 wrote to memory of 1380	1820	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	69

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

C:\Users\Admin\AppData\Local\Temp\c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1820
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2020
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1308
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1432
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1688
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1048
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1516
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:740
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:616
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:916
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:436
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:240
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1740
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1608
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:664
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1872
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:364
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:1696
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C2A0A3~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:1380