Malware Analysis Report

2025-01-18 19:11

Sample ID 220130-jr97nshaer
Target 2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c
SHA256 2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c
Tags
neshta sodinokibi 13 49 persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c

Threat Level: Known bad

The file 2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c was found to be: Known bad.

Malicious Activity Summary

neshta sodinokibi 13 49 persistence ransomware spyware stealer

Detect Neshta Payload

Neshta family

Sodinokibi/Revil sample

Sodinokibi family

Modifies system executable filetype association

Neshta

Sodin,Sodinokibi,REvil

Deletes shadow copies

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-30 07:55

Signatures

Detect Neshta Payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-30 07:55

Reported

2022-01-30 13:08

Platform

win7-en-20211208

Max time kernel

140s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe"

Signatures

Detect Neshta Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A

Neshta

persistence spyware neshta

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Windows\svchost.com N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_c8514sys.fon_a088232f C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_cga40857.fon_2c8aa2e4 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b5fa959a738d6d74_auditpol.exe.mui_df4767d7 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_23376bf5921e7b63_adtschema.dll_4cae41ac C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-pshed_31bf3856ad364e35_6.1.7600.16385_none_b7e7d4f746c595bb.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2403bfdae4c06f52.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_099d2ebabfe3f476.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_hvgafix.fon_bf27df1c C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_03baba203715d388.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_c718d071d9c10a2d.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-857_31bf3856ad364e35_6.1.7600.16385_none_2adc8eeeb4e35a81.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b0eb241dcc51f079_adtschema.dll.mui_208d0981 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_00e51c7022323f45_winscard.dll.mui_4a82d97e C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05194bb98bbf5a4b.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cb8d93e1dba7ea79_advapi32.dll.mui_28c7718f C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_6.1.7600.16385_none_5e96e36b42806ee7_psapi.dll_e8b5b4d1 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_de-de_fc571f848681e778_msimsg.dll.mui_72e8994f C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ive-blackbox-loader_31bf3856ad364e35_6.1.7600.16385_none_c72819e06acceb59.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4af06e370b1b5ceb_shsvcs.dll.mui_b69fccab C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e8b9b6cce3abf5f.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_51f0750cff4cb31b_explorerframe.dll.mui_074caeb5 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_pt-pt_a7c5fb6de18360b8_msimsg.dll.mui_72e8994f C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e8dccb238c9862b1_netrast.inf_loc_12f4e177 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7601.17514_none_a2347d4102a4c8ad_winipsec.dll_abfff1a2 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f1983bb066c54ad2.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..resources.resources_31bf3856ad364e35_6.1.7600.16385_en-us_577a0ea6c6dbb377.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..s-runtime.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_04c230df23c2abfe.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_en-us_243862f6e4997dad_activeds.dll.mui_67414db4 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_6.1.7601.17514_none_e4433b761c0c84cd_tcpipreg.sys_e872d013 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_bg-bg_f3d7d28457fd7dfc_mlang.dll.mui_2904864a C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dba340d7365a2c01_slc.dll.mui_dc24f809 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d0b77acd0b184bdb.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1474adc65759a4dd_ole32.dll.mui_5035d60a C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_953f0977fbbe9530_sppc.dll.mui_0a75786d C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bae2a13a05218d0f_advapi32.dll.mui_28c7718f C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_edf33f857603a056_wshtcpip.dll.mui_042165f9 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a97b93f9db5cdfdd_certenrollctrl.exe.mui_3b48c5a6 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_es-es_654443034cacf513.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c067cb47e93eb5ab_serialui.dll.mui_7d29d2a3 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acproxy_31bf3856ad364e35_6.1.7600.16385_none_520444733f7b8add.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fdd12afe0656af56_vds.exe.mui_2268d934 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-htmlhelp-infotech_31bf3856ad364e35_6.1.7601.17514_none_f8ab56ff71fc562a_itss.dll_f5d929eb C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0a615764d5644890.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00887df2a19c65d6.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_6.1.7601.17514_none_ef6d8ddb4eff2674.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d40b16d89404e928.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1820774de6bd4d16_perfd.dat_f1e3dfd2 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_de-de_bb31595d11a5d311.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_110e6e4fc133c766.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0a2cb448d58b3a35_keyiso.dll.mui_4bbf12ff C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..uetype-malgungothic_31bf3856ad364e35_6.1.7600.16385_none_6144d01edfdac19c.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_07f91de77125e78d_dciman32.dll_a41dd515 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6d89a9aa5ed31424.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-msvcp60_31bf3856ad364e35_6.1.7600.16385_none_4277eab412b31810_msvcp60.dll_d804e509 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c08b90a4bb1ab825_spp.dll.mui_42138158 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_de-de_402dac258d03220a_scesrv.dll.mui_c6e979b7 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5588b35e1b8aed89_dhcpcsvc6.dll.mui_b45c7567 C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-hbaapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bf44ea0282c54ebb.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_de-de_86a905149145b37c.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-webservices_31bf3856ad364e35_6.1.7601.17514_none_1083c2248cf458dd.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dynamicvolumemanager_31bf3856ad364e35_6.1.7601.17514_none_3b28c7719cc8612d.manifest C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 868 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
PID 868 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
PID 868 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
PID 868 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
PID 864 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Windows\svchost.com
PID 864 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Windows\svchost.com
PID 864 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Windows\svchost.com
PID 864 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Windows\svchost.com
PID 872 wrote to memory of 576 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 576 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 576 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 576 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 576 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 576 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 576 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe

"C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/868-54-0x0000000075761000-0x0000000075763000-memory.dmp

\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe

MD5 e62c896825a6d186f34fb16b1f57490a
SHA1 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d
SHA256 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63
SHA512 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab

\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe

MD5 e62c896825a6d186f34fb16b1f57490a
SHA1 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d
SHA256 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63
SHA512 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab

C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe

MD5 e62c896825a6d186f34fb16b1f57490a
SHA1 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d
SHA256 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63
SHA512 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab

C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe

MD5 e62c896825a6d186f34fb16b1f57490a
SHA1 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d
SHA256 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63
SHA512 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab

\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe

MD5 e62c896825a6d186f34fb16b1f57490a
SHA1 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d
SHA256 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63
SHA512 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

MD5 566ed4f62fdc96f175afedd811fa0370
SHA1 d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256 e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512 cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

MD5 3ec4922dbca2d07815cf28144193ded9
SHA1 75cda36469743fbc292da2684e76a26473f04a6d
SHA256 0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801
SHA512 956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

MD5 e584c29c854081c78a366fbcc6f7f84c
SHA1 32b7e552e5916b43d57d7b088c543b77f1067338
SHA256 b2748833775c7c1bfce6959afbd5e472f6ff40497ee1a0b4c16d210270c56450
SHA512 c2e1d90d30f8799e4871c3eb87a2bff6b2ec7e46324027f4590503505808600db41583805d265786771a53f658b2d4b0edea85c85b9ae88850119cc0a682be0c

C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE

MD5 ea78ed9e7eb4cc64544163627476fe4b
SHA1 67aed91a59742a36c0ff635b15c692cde3eb3a9d
SHA256 d5adfd6c8160892716ad5f2907cc66888aee97e1d296404503e1d42dd30ba562
SHA512 eeee54e5ffbd243fe7ef6c93744c754bc238e5b05e85c7ca3b25edc02a8692cd10225edff40444fe2536608d0ed25578573e309503cb8f90f43d089d86f8710f

C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE

MD5 ad0efa1df844814c2e8ddc188cb0e3b5
SHA1 b1a8a09f2223aab8b8e3e9bc0e58cc83d402f8ab
SHA256 c87fd5b223cb6dc716815b442b4964d4670a30b5c79f4fb9f1c3a65ec9072e5a
SHA512 532cc173d9ef27098ff10b6b652c64231b4a14f99df3b5de2eb1423370c19590e2a6032023d3ed02e2080f2f087b620ebbbd079e4a47a584ef11f3eaa0eb8520

C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE

MD5 fafb18b930b2b05ac8c5ddb988e9062f
SHA1 825ea5069601fb875f8d050aa01300eac03d3826
SHA256 c17785fe7e6b5e08fe5a4ca3679fee85ba6f2e5efcce0fb9807727cf8aa25265
SHA512 be034e7377bd27092aad02e13a152fb80ff74c1ba2fb63ccb344cd55315d115ee47e46727cbe55ca808efafa58d7924e3eed965e9a2fd3b9ae2dff7834383e54

C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE

MD5 8acc19705a625e2d4fa8b65214d7070a
SHA1 ad16e49369c76c6826a18d136bf9618e8e99ec12
SHA256 3fb179a3ae88a3d14db48de29d4b9d43243b80b2118b578b8117ad776ce47f12
SHA512 92e22275194b5a73d825e1e7ad5a5cb5649d3679f545f88328aa72e39c161c4d797b7b3462e590edf546ddbd53c1508a49056f50fa63b113134e1bdc7d977dec

C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE

MD5 f6a22f14c24ebf585de5cb4b0e17f04d
SHA1 bde9818b34419e48d69babc456c56248a96f8b41
SHA256 95454dbadfc97962e824e8ac976feb586d058170ad922e093f77752efb7ba077
SHA512 1d516979e497f857886b9be19a5add61a2aa1da3fe47f207a013ed6e6c4f66ba3a763428651d397dbadb9f48747f7767682758e80738bcc81295505705be0575

C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

MD5 3e8de969e12cd5e6292489a12a9834b6
SHA1 285b89585a09ead4affa32ecaaa842bc51d53ad5
SHA256 7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf
SHA512 b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

MD5 f6636e7fd493f59a5511f08894bba153
SHA1 3618061817fdf1155acc0c99b7639b30e3b6936c
SHA256 61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33
SHA512 bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-30 07:55

Reported

2022-01-30 13:09

Platform

win10-en-20211208

Max time kernel

155s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe"

Signatures

Detect Neshta Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A

Neshta

persistence spyware neshta

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Windows\svchost.com N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
PID 3016 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
PID 3016 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
PID 3152 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Windows\svchost.com
PID 3152 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Windows\svchost.com
PID 3152 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe C:\Windows\svchost.com
PID 740 wrote to memory of 1692 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 740 wrote to memory of 1692 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 740 wrote to memory of 1692 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1692 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1692 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe

"C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe

MD5 e62c896825a6d186f34fb16b1f57490a
SHA1 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d
SHA256 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63
SHA512 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab

C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe

MD5 e62c896825a6d186f34fb16b1f57490a
SHA1 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d
SHA256 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63
SHA512 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

C:\odt\OFFICE~1.EXE

MD5 02c3d242fe142b0eabec69211b34bc55
SHA1 ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA256 2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA512 0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE

MD5 2a226fd810c5ce7b825ff7982bc22a0b
SHA1 58be5cb790336a8e751e91b1702a87fc0521a1d8
SHA256 af9e01dab96c2a54e2751a0d703cc55fdcc5ac00c40f0be2e13fd85c09b66132
SHA512 f122ce37b07871b88e322b0ca2e42f3170704d4165167d6d7b02883da9d2be5d2d62bdbd9f7e18d1c0c5e60e9e707a3b64ddb99150c99028333818dfa769deeb

C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

MD5 3bf259392097b2c212b621a52da03706
SHA1 c740b063803008e3d4bab51b8e2719c1f4027bf9
SHA256 79538fa3a6cf33b989d43e7311de4d7b0e1a99b60964e3acc00fa3cb49ff8160
SHA512 186a81ec6cfa4c6dbcb2dc51cbd647bf44328077b58575fafab920303ccf259322cd31fccc0bb23418293f1b88d7f21ab3f0d8e3f9af7db4b5d3f7c8978c7934

C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

MD5 32853955255a94fcd7587ca9cbfe2b60
SHA1 c33a88184c09e89598f0cabf68ce91c8d5791521
SHA256 64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330
SHA512 8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997

C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

MD5 f6636e7fd493f59a5511f08894bba153
SHA1 3618061817fdf1155acc0c99b7639b30e3b6936c
SHA256 61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33
SHA512 bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE

MD5 a49eb5f2ad98fffade88c1d337854f89
SHA1 2cc197bcf3625751f7e714ac1caf8e554d0be3b1
SHA256 99da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449
SHA512 4649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593

C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

MD5 3e8de969e12cd5e6292489a12a9834b6
SHA1 285b89585a09ead4affa32ecaaa842bc51d53ad5
SHA256 7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf
SHA512 b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e