Malware Analysis Report

2025-01-18 20:17

Sample ID 220124-bf4xhshbgp
Target c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229
SHA256 c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229
Tags
sodinokibi persistence ransomware $2a$10$bvp0vd8jbqyx0.h5cc5.jeu0ztxsis1rbopxbigefkxt9xw/kwhjm 3972
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229

Threat Level: Known bad

The file c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229 was found to be: Known bad.

Malicious Activity Summary

sodinokibi persistence ransomware $2a$10$bvp0vd8jbqyx0.h5cc5.jeu0ztxsis1rbopxbigefkxt9xw/kwhjm 3972

Sodinokibi family

Sodin,Sodinokibi,REvil

Modifies extensions of user files

Adds Run key to start application

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Program Files directory

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:06

Signatures

Sodinokibi family

sodinokibi

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:06

Reported

2022-01-24 01:22

Platform

win10-en-20211208

Max time kernel

174s

Max time network

192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\PingAssert.tiff => \??\c:\users\admin\pictures\PingAssert.tiff.a7wwn58 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandUpdate.raw => \??\c:\users\admin\pictures\ExpandUpdate.raw.a7wwn58 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File renamed C:\Users\Admin\Pictures\SplitExit.crw => \??\c:\users\admin\pictures\SplitExit.crw.a7wwn58 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\users\admin\pictures\PingAssert.tiff C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\users\admin\pictures\SuspendUse.tiff C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File renamed C:\Users\Admin\Pictures\ConnectRestart.png => \??\c:\users\admin\pictures\ConnectRestart.png.a7wwn58 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File renamed C:\Users\Admin\Pictures\ExportSuspend.png => \??\c:\users\admin\pictures\ExportSuspend.png.a7wwn58 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File renamed C:\Users\Admin\Pictures\ExportUnblock.tiff => \??\c:\users\admin\pictures\ExportUnblock.tiff.a7wwn58 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendUse.tiff => \??\c:\users\admin\pictures\SuspendUse.tiff.a7wwn58 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\users\admin\pictures\ExportUnblock.tiff C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\users\admin\pictures\HideStep.tiff C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File renamed C:\Users\Admin\Pictures\BackupFormat.png => \??\c:\users\admin\pictures\BackupFormat.png.a7wwn58 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File renamed C:\Users\Admin\Pictures\BackupAssert.raw => \??\c:\users\admin\pictures\BackupAssert.raw.a7wwn58 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File renamed C:\Users\Admin\Pictures\HideStep.tiff => \??\c:\users\admin\pictures\HideStep.tiff.a7wwn58 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dTAEUbvF4K = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe" C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v52w5om91355y.bmp" C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\DenyWrite.mpeg3 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\SkipRestart.mpeg2 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\TraceExpand.htm C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\ExportSubmit.shtml C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\ImportConvertTo.htm C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\RepairSkip.cr2 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\RestartOpen.aiff C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\StartConvert.wps C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File created \??\c:\program files\a7wwn58-readme.txt C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\AssertConvertFrom.ps1xml C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\OptimizeUnblock.ex_ C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File created \??\c:\program files (x86)\a7wwn58-readme.txt C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\CompleteSend.docm C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\OptimizeLock.csv C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\WaitProtect.wps C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe

"C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lapmangfpt.info.vn udp
VN 45.252.250.6:443 lapmangfpt.info.vn tcp
US 8.8.8.8:53 jyzdesign.com udp
US 35.208.4.78:443 jyzdesign.com tcp
US 8.8.8.8:53 compliancesolutionsstrategies.com udp
IE 213.168.224.186:443 compliancesolutionsstrategies.com tcp
US 8.8.8.8:53 www.cssregtech.com udp
US 50.62.198.97:443 www.cssregtech.com tcp
US 8.8.8.8:53 cssregtech.com udp
US 50.62.198.97:443 cssregtech.com tcp
US 8.8.8.8:53 tanzschule-kieber.de udp
FR 92.204.55.63:443 tanzschule-kieber.de tcp
US 8.8.8.8:53 collaborativeclassroom.org udp
US 162.159.135.42:443 collaborativeclassroom.org tcp
US 8.8.8.8:53 www.collaborativeclassroom.org udp
US 162.159.135.42:443 www.collaborativeclassroom.org tcp
US 8.8.8.8:53 seproc.hn udp
CA 51.222.115.51:443 seproc.hn tcp
US 8.8.8.8:53 oceanastudios.com udp
US 192.124.249.107:443 oceanastudios.com tcp
US 8.8.8.8:53 binder-buerotechnik.at udp
DE 87.230.41.243:443 binder-buerotechnik.at tcp
US 8.8.8.8:53 leather-factory.co.jp udp
JP 133.18.34.103:443 leather-factory.co.jp tcp
US 8.8.8.8:53 coding-machine.com udp
FR 164.132.235.17:443 coding-machine.com tcp
US 8.8.8.8:53 zieglerbrothers.de udp
DE 178.254.34.29:443 zieglerbrothers.de tcp
US 8.8.8.8:53 schraven.de udp
DE 217.160.0.82:443 schraven.de tcp
US 8.8.8.8:53 boulderwelt-muenchen-west.de udp
DE 116.202.244.254:443 boulderwelt-muenchen-west.de tcp
US 8.8.8.8:53 thewellnessmimi.com udp
US 8.8.8.8:53 zewatchers.com udp
FR 51.15.159.220:443 zewatchers.com tcp
US 8.8.8.8:53 carolinepenn.com udp
FR 188.165.73.165:443 carolinepenn.com tcp
US 8.8.8.8:53 socstrp.org udp
US 104.21.40.177:443 socstrp.org tcp
US 8.8.8.8:53 handi-jack-llc.com udp
FR 151.106.34.5:443 handi-jack-llc.com tcp
US 8.8.8.8:53 sotsioloogia.ee udp
EE 217.146.69.14:443 sotsioloogia.ee tcp
US 8.8.8.8:53 www1.proresult.no udp
NO 46.19.21.163:443 www1.proresult.no tcp
US 8.8.8.8:53 makeurvoiceheard.com udp
US 52.43.71.44:443 makeurvoiceheard.com tcp
US 8.8.8.8:53 dsl-ip.de udp
DE 167.233.1.188:443 dsl-ip.de tcp
US 8.8.8.8:53 theadventureedge.com udp
US 143.198.70.160:443 theadventureedge.com tcp

Files

memory/3672-123-0x000002059EA60000-0x000002059EA82000-memory.dmp

memory/3672-126-0x000002059EC90000-0x000002059ED06000-memory.dmp

memory/3672-133-0x0000020586A30000-0x000002059EC10000-memory.dmp

memory/3672-134-0x0000020586A30000-0x000002059EC10000-memory.dmp

memory/3672-145-0x0000020586A30000-0x000002059EC10000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:06

Reported

2022-01-24 01:22

Platform

win7-en-20211208

Max time kernel

143s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\FormatSplit.crw => \??\c:\users\admin\pictures\FormatSplit.crw.9232wam C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File renamed C:\Users\Admin\Pictures\FormatProtect.tif => \??\c:\users\admin\pictures\FormatProtect.tif.9232wam C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File renamed C:\Users\Admin\Pictures\SwitchConvert.raw => \??\c:\users\admin\pictures\SwitchConvert.raw.9232wam C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File renamed C:\Users\Admin\Pictures\UnpublishReset.raw => \??\c:\users\admin\pictures\UnpublishReset.raw.9232wam C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dTAEUbvF4K = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe" C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\m66yf00g9u6.bmp" C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\LockCompress.html C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\MountRepair.wmf C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\PingConnect.3gpp C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\PublishInvoke.edrwx C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File created \??\c:\program files (x86)\9232wam-readme.txt C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\AssertApprove.pps C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\BackupSubmit.html C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\ExitUse.vsdx C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\9232wam-readme.txt C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\RevokeExport.vdw C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\UpdateRevoke.png C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\WaitReceive.pps C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\FormatSync.mpv2 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\ResumeDisconnect.ttc C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\SendMount.vssx C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\WaitNew.mpp C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\MoveLimit.php C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\ProtectLimit.sql C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\SplitUndo.MTS C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\9232wam-readme.txt C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\ExitWait.wm C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\SubmitWatch.mpeg3 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\WriteRequest.cfg C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\UnlockSync.jpeg C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\DisconnectRename.jtx C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\EditNew.tif C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\SetSwitch.clr C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\TraceDisconnect.dib C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File created \??\c:\program files\9232wam-readme.txt C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\MergeGroup.3gp C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\9232wam-readme.txt C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\DismountConnect.dib C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\ExportCopy.asf C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
File opened for modification \??\c:\program files\SplitRename.m4v C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877619000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe

"C:\Users\Admin\AppData\Local\Temp\c6b18ca4a98fa8a41c7b8e85a01d8a7033d009fec9e4c6ed3fbe3848e4de3229.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 lapmangfpt.info.vn udp
VN 45.252.250.6:443 lapmangfpt.info.vn tcp
VN 45.252.250.6:443 lapmangfpt.info.vn tcp
US 8.8.8.8:53 jyzdesign.com udp
US 35.208.4.78:443 jyzdesign.com tcp
US 35.208.4.78:443 jyzdesign.com tcp
US 8.8.8.8:53 compliancesolutionsstrategies.com udp
IE 213.168.224.186:443 compliancesolutionsstrategies.com tcp
US 8.8.8.8:53 tanzschule-kieber.de udp
FR 92.204.55.63:443 tanzschule-kieber.de tcp
FR 92.204.55.63:443 tanzschule-kieber.de tcp
US 8.8.8.8:53 collaborativeclassroom.org udp
US 162.159.135.42:443 collaborativeclassroom.org tcp
US 162.159.135.42:443 collaborativeclassroom.org tcp
US 8.8.8.8:53 seproc.hn udp
CA 51.222.115.51:443 seproc.hn tcp
CA 51.222.115.51:443 seproc.hn tcp
US 8.8.8.8:53 oceanastudios.com udp
US 192.124.249.107:443 oceanastudios.com tcp
US 192.124.249.107:443 oceanastudios.com tcp
US 8.8.8.8:53 binder-buerotechnik.at udp
DE 87.230.41.243:443 binder-buerotechnik.at tcp
DE 87.230.41.243:443 binder-buerotechnik.at tcp
US 8.8.8.8:53 leather-factory.co.jp udp
JP 133.18.34.103:443 leather-factory.co.jp tcp
US 8.8.8.8:53 coding-machine.com udp
FR 164.132.235.17:443 coding-machine.com tcp
US 8.8.8.8:53 zieglerbrothers.de udp
DE 178.254.34.29:443 zieglerbrothers.de tcp
DE 178.254.34.29:443 zieglerbrothers.de tcp
US 8.8.8.8:53 schraven.de udp
DE 217.160.0.82:443 schraven.de tcp
DE 217.160.0.82:443 schraven.de tcp
US 8.8.8.8:53 boulderwelt-muenchen-west.de udp
DE 116.202.244.254:443 boulderwelt-muenchen-west.de tcp
DE 116.202.244.254:443 boulderwelt-muenchen-west.de tcp
US 8.8.8.8:53 thewellnessmimi.com udp
US 8.8.8.8:53 zewatchers.com udp
FR 51.15.159.220:443 zewatchers.com tcp
US 8.8.8.8:53 carolinepenn.com udp
FR 188.165.73.165:443 carolinepenn.com tcp
US 8.8.8.8:53 socstrp.org udp
US 104.21.40.177:443 socstrp.org tcp
US 8.8.8.8:53 handi-jack-llc.com udp
FR 151.106.34.5:443 handi-jack-llc.com tcp
FR 151.106.34.5:443 handi-jack-llc.com tcp
US 8.8.8.8:53 sotsioloogia.ee udp
EE 217.146.69.14:443 sotsioloogia.ee tcp
EE 217.146.69.14:443 sotsioloogia.ee tcp
US 8.8.8.8:53 www1.proresult.no udp
NO 46.19.21.163:443 www1.proresult.no tcp
NO 46.19.21.163:443 www1.proresult.no tcp
US 8.8.8.8:53 makeurvoiceheard.com udp
US 44.239.13.184:443 makeurvoiceheard.com tcp
US 8.8.8.8:53 dsl-ip.de udp
DE 167.233.1.188:443 dsl-ip.de tcp
DE 167.233.1.188:443 dsl-ip.de tcp
US 8.8.8.8:53 theadventureedge.com udp
US 143.198.70.160:443 theadventureedge.com tcp
US 143.198.70.160:443 theadventureedge.com tcp
US 8.8.8.8:53 delchacay.com.ar udp
US 198.178.120.8:443 delchacay.com.ar tcp
US 8.8.8.8:53 waermetauscher-berechnen.de udp
DE 92.204.37.106:443 waermetauscher-berechnen.de tcp
DE 92.204.37.106:443 waermetauscher-berechnen.de tcp
US 8.8.8.8:53 vanswigchemdesign.com udp
BE 176.62.165.102:443 vanswigchemdesign.com tcp
BE 176.62.165.102:443 vanswigchemdesign.com tcp
US 8.8.8.8:53 brigitte-erler.com udp
DE 188.40.28.170:443 brigitte-erler.com tcp
US 8.8.8.8:53 ra-staudte.de udp
FR 185.21.102.213:443 ra-staudte.de tcp
FR 185.21.102.213:443 ra-staudte.de tcp
US 8.8.8.8:53 hebkft.hu udp
IE 63.34.33.206:443 hebkft.hu tcp
US 8.8.8.8:53 aglend.com.au udp
US 192.124.249.63:443 aglend.com.au tcp
US 192.124.249.63:443 aglend.com.au tcp
US 8.8.8.8:53 rumahminangberdaya.com udp
US 8.8.8.8:53 iyahayki.nl udp
DE 172.104.229.99:443 iyahayki.nl tcp
DE 172.104.229.99:443 iyahayki.nl tcp
US 8.8.8.8:53 cursosgratuitosnainternet.com udp
ES 185.107.227.241:443 cursosgratuitosnainternet.com tcp
US 8.8.8.8:53 bxdf.info udp
ES 185.107.227.241:443 bxdf.info tcp
US 8.8.8.8:53 euro-trend.pl udp
PL 185.238.73.63:443 euro-trend.pl tcp
PL 185.238.73.63:443 euro-trend.pl tcp
US 8.8.8.8:53 minipara.com udp
US 8.8.8.8:53 pasvenska.se udp
US 104.21.29.185:443 pasvenska.se tcp
US 8.8.8.8:53 berliner-versicherungsvergleich.de udp
DE 157.90.213.11:443 berliner-versicherungsvergleich.de tcp
DE 157.90.213.11:443 berliner-versicherungsvergleich.de tcp
US 8.8.8.8:53 dupontsellshomes.com udp
US 70.40.220.182:443 dupontsellshomes.com tcp
US 70.40.220.182:443 dupontsellshomes.com tcp
US 8.8.8.8:53 coffreo.biz udp
FR 37.187.225.124:443 coffreo.biz tcp
FR 37.187.225.124:443 coffreo.biz tcp
US 8.8.8.8:53 antiaginghealthbenefits.com udp
US 216.194.169.74:443 antiaginghealthbenefits.com tcp
US 216.194.169.74:443 antiaginghealthbenefits.com tcp
US 8.8.8.8:53 hardinggroup.com udp
US 35.208.165.110:443 hardinggroup.com tcp
US 35.208.165.110:443 hardinggroup.com tcp
US 8.8.8.8:53 allfortheloveofyou.com udp
US 172.67.136.202:443 allfortheloveofyou.com tcp
US 8.8.8.8:53 ftf.or.at udp
AT 143.205.173.125:443 ftf.or.at tcp
US 8.8.8.8:53 lloydconstruction.com udp
US 107.180.41.150:443 lloydconstruction.com tcp
US 107.180.41.150:443 lloydconstruction.com tcp
US 8.8.8.8:53 koko-nora.dk udp
NL 213.184.85.12:443 koko-nora.dk tcp
NL 213.184.85.12:443 koko-nora.dk tcp
US 8.8.8.8:53 podsosnami.ru udp
US 8.8.8.8:53 dw-css.de udp
DE 185.53.178.11:443 dw-css.de tcp
US 8.8.8.8:53 xlarge.at udp
DE 89.163.246.216:443 xlarge.at tcp
DE 89.163.246.216:443 xlarge.at tcp
US 8.8.8.8:53 kampotpepper.gives udp
US 198.72.80.195:443 kampotpepper.gives tcp
US 198.72.80.195:443 kampotpepper.gives tcp
US 8.8.8.8:53 vickiegrayimages.com udp
US 35.196.10.164:443 vickiegrayimages.com tcp
US 35.196.10.164:443 vickiegrayimages.com tcp
US 8.8.8.8:53 dezatec.es udp
FR 51.68.127.96:443 dezatec.es tcp
US 8.8.8.8:53 bridgeloanslenders.com udp
US 66.147.244.165:443 bridgeloanslenders.com tcp
US 66.147.244.165:443 bridgeloanslenders.com tcp
US 8.8.8.8:53 lillegrandpalais.com udp
FR 91.121.62.37:443 lillegrandpalais.com tcp
TR 178.157.8.3:443 turkcaparbariatrics.com tcp
TR 178.157.8.3:443 turkcaparbariatrics.com tcp
US 8.8.8.8:53 alfa-stroy72.com udp
RU 37.140.192.73:443 alfa-stroy72.com tcp
RU 37.140.192.73:443 alfa-stroy72.com tcp
US 8.8.8.8:53 cleliaekiko.online udp
HK 47.75.130.171:443 cleliaekiko.online tcp

Files

memory/1636-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

memory/1796-55-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

memory/1796-57-0x0000000002340000-0x00000000023C0000-memory.dmp

memory/1796-58-0x0000000002340000-0x00000000023C0000-memory.dmp

memory/1796-59-0x0000000002340000-0x00000000023C0000-memory.dmp

memory/1796-56-0x000007FEF2830000-0x000007FEF338D000-memory.dmp

memory/1796-60-0x0000000002340000-0x00000000023C0000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e