0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386

General

Target

0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
Size

69KB
MD5

3d6739af26024c834c7b643b2521acf6
SHA1

c66095df6545de1625dc365dfd45c13ad04fabee
SHA256

0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386
SHA512

97b333f293541d50b32dff7b5b50db24086964dd49be962896f6fe3bf58faafebde507ff4486381ace02cc32009650df81d75db8afb64ce40ad74d0c34b66b18

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\EnableSend.tiff	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40_altform-unplated.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-250.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-125.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-black\Settings.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\32.jpg	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\91.jpg	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-400_contrast-black.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_hr.json	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-125.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\dictation\SpeechOn.wav	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling.ort	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-200_contrast-white.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_altform-unplated.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\AchievementUnlocked.mp3	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-125.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\agavedefaulticon96x96.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-200_contrast-white.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-200.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-32.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-125.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-400.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square71x71Logo.scale-100.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_contrast-black.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Kiss.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_altform-unplated_contrast-black.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Square150x150Logo.scale-125.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Informix.xsl	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-80_altform-unplated_contrast-white.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache.scale-150.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.ViewModel.winmd	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-32.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\resources.pri	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-100.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\DeleteToastQuickAction.scale-80.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-48.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-100.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.29e797f3.pri	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Tracing.jpg	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-black_scale-200.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\ZviewOverlay.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Hedge.dxt	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125_contrast-black.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-200.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-100.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxManifest.xml	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-200.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notification-checkbox.css	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\0.jpg	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Moonlight.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-256.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_contrast-white.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4508 vssadmin.exe

pid	process
4508	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe

pid	process
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
Token: SeImpersonatePrivilege	3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
Token: SeBackupPrivilege	9564	vssvc.exe
Token: SeRestorePrivilege	9564	vssvc.exe
Token: SeAuditPrivilege	9564	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe

description	pid	process	target process
PID 3268 wrote to memory of 4508	3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe	vssadmin.exe
PID 3268 wrote to memory of 4508	3268	0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe
"C:\Users\Admin\AppData\Local\Temp\0a8765300eb3e280696d7ad737d79e2da9ab99102c707366854128669e15a386.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4508