Malware Analysis Report

2024-11-16 12:18

Sample ID 230629-1slzxafc23
Target 0.ex
SHA256 b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53

Threat Level: Known bad

The file 0.ex was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (480) files with added filename extension

Deletes backup catalog

Modifies Windows Firewall

Modifies extensions of user files

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-29 21:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-29 21:54

Reported

2023-06-29 21:57

Platform

win10v2004-20230621-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (480) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\MergeRepair.tiff C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReadRestart.tiff C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\0.exe C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0 = "C:\\Users\\Admin\\AppData\\Local\\0.exe" C:\Users\Admin\AppData\Local\Temp\0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0 = "C:\\Users\\Admin\\AppData\\Local\\0.exe" C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected.svg C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\cardflipped.dat C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_delete_18.svg.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lt.pak.DATA C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Fonts\CortanaMDL2Assets.ttf C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\YelpLogo.svg C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.Core.dll C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dll.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\onenotemui.msi.16.en-us.vreg.dat C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderBlack.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_selected_18.svg C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h.png.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\vcamp140.dll C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sv.pak.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.id[63CF50CA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSplashLogo.scale-140.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\system32\cmd.exe
PID 1612 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\system32\cmd.exe
PID 1612 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\system32\cmd.exe
PID 1612 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\system32\cmd.exe
PID 2496 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2496 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4536 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4536 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4536 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4536 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4536 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4536 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4536 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4536 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2496 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2496 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4536 wrote to memory of 4008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4536 wrote to memory of 4008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1612 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\SysWOW64\mshta.exe
PID 1612 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\SysWOW64\mshta.exe
PID 1612 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\SysWOW64\mshta.exe
PID 1612 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\SysWOW64\mshta.exe
PID 1612 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\SysWOW64\mshta.exe
PID 1612 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\SysWOW64\mshta.exe
PID 1612 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\SysWOW64\mshta.exe
PID 1612 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\SysWOW64\mshta.exe
PID 1612 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\SysWOW64\mshta.exe
PID 1612 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\SysWOW64\mshta.exe
PID 1612 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\SysWOW64\mshta.exe
PID 1612 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\SysWOW64\mshta.exe
PID 1612 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\system32\cmd.exe
PID 1612 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\system32\cmd.exe
PID 292 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 292 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 292 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 292 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 292 wrote to memory of 3888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 292 wrote to memory of 3888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 292 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 292 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 292 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 292 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\0.exe

"C:\Users\Admin\AppData\Local\Temp\0.exe"

C:\Users\Admin\AppData\Local\Temp\0.exe

"C:\Users\Admin\AppData\Local\Temp\0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.162.241.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 52.168.117.169:443 tcp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[63CF50CA-3483].[[email protected]].8base

MD5 fa1ed32388c22377de5990aae471457a
SHA1 44d39e26a63c80e3024bca9e83f55b7fc2da269b
SHA256 9988a1ddfda778072edbad730452fc6c1454244ab8379023e6df2e5bbe0a8752
SHA512 4efb6fe80954ab12eed1e0c0893beaec3bb29358c12c22ff12d1690658a254ee0dd2198393057b0bdbe4a7c2677728bb8e2d96f1e7140e3023951317888706e6

C:\info.hta

MD5 802f1ffb1a3ac33a7a519cdbc7980f36
SHA1 6247a747db588643843d22f1e3c10e5eec9c49a0
SHA256 fe4f7530b725a33b38e02e54a434d7666da8f3fce62f8d3f500af2a640cfece8
SHA512 d7bdbcb36d5313708842edb2319fa3c624416dc3fcff30b1bdf4df10dceb70fd0ad8255f03e45f7afcd980911c7e9bb3eb5164dbfb287aefc9a79541fcb2d46d

C:\info.hta

MD5 802f1ffb1a3ac33a7a519cdbc7980f36
SHA1 6247a747db588643843d22f1e3c10e5eec9c49a0
SHA256 fe4f7530b725a33b38e02e54a434d7666da8f3fce62f8d3f500af2a640cfece8
SHA512 d7bdbcb36d5313708842edb2319fa3c624416dc3fcff30b1bdf4df10dceb70fd0ad8255f03e45f7afcd980911c7e9bb3eb5164dbfb287aefc9a79541fcb2d46d

C:\users\public\desktop\info.hta

MD5 802f1ffb1a3ac33a7a519cdbc7980f36
SHA1 6247a747db588643843d22f1e3c10e5eec9c49a0
SHA256 fe4f7530b725a33b38e02e54a434d7666da8f3fce62f8d3f500af2a640cfece8
SHA512 d7bdbcb36d5313708842edb2319fa3c624416dc3fcff30b1bdf4df10dceb70fd0ad8255f03e45f7afcd980911c7e9bb3eb5164dbfb287aefc9a79541fcb2d46d

C:\Users\Admin\Desktop\info.hta

MD5 802f1ffb1a3ac33a7a519cdbc7980f36
SHA1 6247a747db588643843d22f1e3c10e5eec9c49a0
SHA256 fe4f7530b725a33b38e02e54a434d7666da8f3fce62f8d3f500af2a640cfece8
SHA512 d7bdbcb36d5313708842edb2319fa3c624416dc3fcff30b1bdf4df10dceb70fd0ad8255f03e45f7afcd980911c7e9bb3eb5164dbfb287aefc9a79541fcb2d46d

F:\info.hta

MD5 802f1ffb1a3ac33a7a519cdbc7980f36
SHA1 6247a747db588643843d22f1e3c10e5eec9c49a0
SHA256 fe4f7530b725a33b38e02e54a434d7666da8f3fce62f8d3f500af2a640cfece8
SHA512 d7bdbcb36d5313708842edb2319fa3c624416dc3fcff30b1bdf4df10dceb70fd0ad8255f03e45f7afcd980911c7e9bb3eb5164dbfb287aefc9a79541fcb2d46d