Malware Analysis Report

2025-01-18 20:13

Sample ID 220124-bgdfyshbhj
Target c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa
SHA256 c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa
Tags
$2a$10$ibgnfi1.zgjjp2sznn8kueur/0eqkaqz5mzy.mk4qm8qbrkz8qi2g 7002 sodinokibi persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa

Threat Level: Known bad

The file c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa was found to be: Known bad.

Malicious Activity Summary

$2a$10$ibgnfi1.zgjjp2sznn8kueur/0eqkaqz5mzy.mk4qm8qbrkz8qi2g 7002 sodinokibi persistence ransomware spyware stealer

Sodinokibi family

Sodin,Sodinokibi,REvil

Modifies extensions of user files

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:06

Signatures

Sodinokibi family

sodinokibi

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:06

Reported

2022-01-24 01:22

Platform

win7-en-20211208

Max time kernel

147s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\GrantAssert.crw => \??\c:\users\admin\pictures\GrantAssert.crw.24zsb065b C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File renamed C:\Users\Admin\Pictures\GroupOut.png => \??\c:\users\admin\pictures\GroupOut.png.24zsb065b C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File renamed C:\Users\Admin\Pictures\StartUndo.tiff => \??\c:\users\admin\pictures\StartUndo.tiff.24zsb065b C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File renamed C:\Users\Admin\Pictures\SetRegister.raw => \??\c:\users\admin\pictures\SetRegister.raw.24zsb065b C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\users\admin\pictures\SkipPing.tiff C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File renamed C:\Users\Admin\Pictures\SkipPing.tiff => \??\c:\users\admin\pictures\SkipPing.tiff.24zsb065b C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\users\admin\pictures\StartUndo.tiff C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File renamed C:\Users\Admin\Pictures\UndoRepair.raw => \??\c:\users\admin\pictures\UndoRepair.raw.24zsb065b C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File renamed C:\Users\Admin\Pictures\InitializeSet.raw => \??\c:\users\admin\pictures\InitializeSet.raw.24zsb065b C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\users\admin\pictures\MeasureDebug.tiff C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File renamed C:\Users\Admin\Pictures\MeasureDebug.tiff => \??\c:\users\admin\pictures\MeasureDebug.tiff.24zsb065b C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PtwlDkH6xQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe" C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\17x1h0a25.bmp" C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\FormatApprove.html C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\ImportBlock.vdx C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\OpenStep.3gp C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\RegisterImport.mht C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\TestInstall.WTV C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\24zsb065b-readme.txt C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\ExpandWrite.xltx C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\InitializeUpdate.tmp C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\RemoveProtect.vssm C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\SwitchGrant.xlsb C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\24zsb065b-readme.txt C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File created \??\c:\program files (x86)\24zsb065b-readme.txt C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\DismountInvoke.otf C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\SetPublish.cr2 C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\24zsb065b-readme.txt C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File created \??\c:\program files\24zsb065b-readme.txt C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\BackupEnable.snd C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\DenyAssert.ttc C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\ExpandPop.dotm C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\HideBackup.aif C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\ResetCheckpoint.wmx C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe

"C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 smhydro.com.pl udp
PL 89.161.222.203:443 smhydro.com.pl tcp
PL 89.161.222.203:443 smhydro.com.pl tcp
US 8.8.8.8:53 xoabigail.com udp
US 8.8.8.8:53 mercantedifiori.com udp
US 170.178.168.203:443 mercantedifiori.com tcp

Files

memory/1576-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:06

Reported

2022-01-24 01:22

Platform

win10-en-20211208

Max time kernel

177s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PtwlDkH6xQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe" C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\CloseUse.gif C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\CompareUninstall.vstm C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\GrantPop.gif C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\MeasureImport.gif C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\CheckpointRename.asp C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\CloseClear.3g2 C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\DisconnectShow.ps1xml C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\JoinUse.vsd C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\CheckpointBackup.TTS C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\CheckpointDisconnect.mpg C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\EnableGroup.reg C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\HideSubmit.mht C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\LimitAdd.png C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File created \??\c:\program files\n31ry6n-readme.txt C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\EnableDeny.mht C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\CopyClear.ini C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\ExportFormat.mp4 C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File created \??\c:\program files (x86)\n31ry6n-readme.txt C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
File opened for modification \??\c:\program files\BlockExpand.wav C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe

"C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Files

N/A