c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc

Analysis

max time kernel
35s
max time network
135s
platform
windows10_x64
resource
win10v20210408
submitted
08/08/2021, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
Size

1.2MB
MD5

e0ae997e515ce9689eac7e2d74035e29
SHA1

a0f28890dfe66a158771ed70745ed1efbde91427
SHA256

c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc
SHA512

4d7cacd97c519c2324b20ec361d065b02261f34e1aa702fbd5f537ba07f9f969ed35fe014f93988f7fa90b89fedf520b926808c28d07daf95fd4fd580d51c4e0

Score

9^/10

evasion persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3064	bcdedit.exe
184	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2788	wbadmin.exe
1320	wbadmin.exe

Drops file in Drivers directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Modifies extensions of user files 23 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConvertToUnregister.png => C:\Users\Admin\Pictures\ConvertToUnregister.png.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveCompress.tif.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\RenameRemove.tiff => C:\Users\Admin\Pictures\RenameRemove.tiff.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\RenameRemove.tiff.inprocess => C:\Users\Admin\Pictures\RenameRemove.tiff.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToUnregister.png.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\ConvertToUnregister.png.inprocess => C:\Users\Admin\Pictures\ConvertToUnregister.png.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToUnregister.png.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\DisableClose.tiff.inprocess => C:\Users\Admin\Pictures\DisableClose.tiff.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\ReceiveCompress.tif => C:\Users\Admin\Pictures\ReceiveCompress.tif.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\ReceiveCompress.tif.inprocess => C:\Users\Admin\Pictures\ReceiveCompress.tif.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RenameRemove.tiff.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StepGroup.tiff	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StepGroup.tiff.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DisableClose.tiff	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\DisableClose.tiff => C:\Users\Admin\Pictures\DisableClose.tiff.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DisableClose.tiff.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DisableClose.tiff.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveCompress.tif.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RenameRemove.tiff	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\StepGroup.tiff.inprocess => C:\Users\Admin\Pictures\StepGroup.tiff.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RenameRemove.tiff.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File renamed	C:\Users\Admin\Pictures\StepGroup.tiff => C:\Users\Admin\Pictures\StepGroup.tiff.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StepGroup.tiff.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe\" e"	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Enumerates connected drives 3 TTPs 41 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\P:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\S:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\W:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\Y:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\U:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\Z:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\O:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\T:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\X:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\G:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\J:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\N:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\D:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\I:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\E:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\R:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\V:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\B:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\K:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\L:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\M:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened (read-only)	\??\Q:	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\2adce956-0c74-47e9-8d83-3e951adefd07	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\SYSTEM	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\62fea884-ba15-4897-9686-808a166505f3.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SYSTEM	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\SECURITY	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\e6a14287-4b32-4edc-ac58-8de04ea6e0eb.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SECURITY	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\ELAM	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\e6a14287-4b32-4edc-ac58-8de04ea6e0eb.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C237ECACBCB4101A3BE740DF0E53F83	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\ELAM.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\e6a14287-4b32-4edc-ac58-8de04ea6e0eb	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SOFTWARE	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\DEFAULT	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\2adce956-0c74-47e9-8d83-3e951adefd07.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\BBI	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f55463bc-6f59-4e20-90ee-5964567988a3.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\VSMIDK	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C237ECACBCB4101A3BE740DF0E53F83.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\ELAM.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\config\RegBack\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\ResPriImageList	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Mozilla Firefox\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Google\Chrome\Application\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\Boot\DVD\PCAT\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\Boot\DVD\EFI\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Resources\Maps\mwconfig_client	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\Resources\Maps\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Panther\setupinfo.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File created	C:\Windows\Installer\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Panther\setupinfo	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cc51e87d-bda7-4ef7-80cf-c431fec6b805.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Boot\PCAT\bootnxt	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cc51e87d-bda7-4ef7-80cf-c431fec6b805	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File created	C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.inprocess	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.gpay	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3540	vssadmin.exe
2772	vssadmin.exe
2096	vssadmin.exe
272	vssadmin.exe
1924	vssadmin.exe
3032	vssadmin.exe
2388	vssadmin.exe
184	vssadmin.exe
3988	vssadmin.exe
3472	vssadmin.exe
768	vssadmin.exe
856	vssadmin.exe
3948	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	1548	vssvc.exe
Token: SeRestorePrivilege	1548	vssvc.exe
Token: SeAuditPrivilege	1548	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3788	wmic.exe
Token: SeSecurityPrivilege	3788	wmic.exe
Token: SeTakeOwnershipPrivilege	3788	wmic.exe
Token: SeLoadDriverPrivilege	3788	wmic.exe
Token: SeSystemProfilePrivilege	3788	wmic.exe
Token: SeSystemtimePrivilege	3788	wmic.exe
Token: SeProfSingleProcessPrivilege	3788	wmic.exe
Token: SeIncBasePriorityPrivilege	3788	wmic.exe
Token: SeCreatePagefilePrivilege	3788	wmic.exe
Token: SeBackupPrivilege	3788	wmic.exe
Token: SeRestorePrivilege	3788	wmic.exe
Token: SeShutdownPrivilege	3788	wmic.exe
Token: SeDebugPrivilege	3788	wmic.exe
Token: SeSystemEnvironmentPrivilege	3788	wmic.exe
Token: SeRemoteShutdownPrivilege	3788	wmic.exe
Token: SeUndockPrivilege	3788	wmic.exe
Token: SeManageVolumePrivilege	3788	wmic.exe
Token: 33	3788	wmic.exe
Token: 34	3788	wmic.exe
Token: 35	3788	wmic.exe
Token: 36	3788	wmic.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 1924	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	72
PID 3260 wrote to memory of 1924	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	72
PID 3260 wrote to memory of 3032	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	79
PID 3260 wrote to memory of 3032	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	79
PID 3260 wrote to memory of 2388	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	81
PID 3260 wrote to memory of 2388	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	81
PID 3260 wrote to memory of 184	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	83
PID 3260 wrote to memory of 184	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	83
PID 3260 wrote to memory of 3540	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	85
PID 3260 wrote to memory of 3540	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	85
PID 3260 wrote to memory of 2772	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	87
PID 3260 wrote to memory of 2772	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	87
PID 3260 wrote to memory of 3472	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	89
PID 3260 wrote to memory of 3472	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	89
PID 3260 wrote to memory of 2096	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	91
PID 3260 wrote to memory of 2096	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	91
PID 3260 wrote to memory of 768	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	93
PID 3260 wrote to memory of 768	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	93
PID 3260 wrote to memory of 856	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	95
PID 3260 wrote to memory of 856	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	95
PID 3260 wrote to memory of 272	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	97
PID 3260 wrote to memory of 272	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	97
PID 3260 wrote to memory of 3948	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	99
PID 3260 wrote to memory of 3948	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	99
PID 3260 wrote to memory of 3988	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	101
PID 3260 wrote to memory of 3988	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	101
PID 3260 wrote to memory of 3064	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	103
PID 3260 wrote to memory of 3064	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	103
PID 3260 wrote to memory of 184	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	105
PID 3260 wrote to memory of 184	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	105
PID 3260 wrote to memory of 2788	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	107
PID 3260 wrote to memory of 2788	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	107
PID 3260 wrote to memory of 1320	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	109
PID 3260 wrote to memory of 1320	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	109
PID 3260 wrote to memory of 3788	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	111
PID 3260 wrote to memory of 3788	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	111
PID 3260 wrote to memory of 3420	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	114
PID 3260 wrote to memory of 3420	3260	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe	114

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe

C:\Users\Admin\AppData\Local\Temp\c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc.bin.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3260
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1924
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3032
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2388
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:184
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3540
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2772
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3472
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2096
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:768
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:856
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:272
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3948
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3988
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3064
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:184
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2788
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:1320
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3788
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C2A0A3~1.EXE >> NUL
  2⤵
  PID:3420