Malware Analysis Report

2024-11-16 12:19

Sample ID 230630-ng188sha58
Target 0ex.ex
SHA256 b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4b89828380c4781c7beafa6dce00ae38cd4adc13ad56792996e28c41def5c53

Threat Level: Known bad

The file 0ex.ex was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (312) files with added filename extension

Renames multiple (485) files with added filename extension

Deletes backup catalog

Modifies extensions of user files

Modifies Windows Firewall

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Modifies registry class

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-30 11:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-30 11:22

Reported

2023-06-30 11:25

Platform

win10v2004-20230621-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ex.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (485) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\0ex.exe C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0ex = "C:\\Users\\Admin\\AppData\\Local\\0ex.exe" C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0ex = "C:\\Users\\Admin\\AppData\\Local\\0ex.exe" C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.SmartGlass.Controls\MsaAuthenticatorView.xaml C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-125.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_WorriedEye.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeProxiesAndStubs.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons.png.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\ui-strings.js.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg2.jpg C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning.png.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LockScreenLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCacheMini.scale-150.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE.HXS C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\ui-strings.js.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.tree.dat C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_duplicate_18.svg C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msdarem.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\THMBNAIL.PNG.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\PackageManagementDscUtilities.strings.psd1.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderBlack.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RDCNotificationClient.appx.id[D18CD439-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 3616 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3616 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4268 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4268 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3616 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3616 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4268 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4268 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4268 wrote to memory of 288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4268 wrote to memory of 288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4268 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4268 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4268 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4268 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1204 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 1204 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 1204 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 1204 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 1204 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 1204 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 1204 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 1204 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 1204 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 1204 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 1204 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 1204 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 1204 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 3580 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3580 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3580 wrote to memory of 3976 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3580 wrote to memory of 3976 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3580 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3580 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3580 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3580 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3580 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3580 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\0ex.exe

"C:\Users\Admin\AppData\Local\Temp\0ex.exe"

C:\Users\Admin\AppData\Local\Temp\0ex.exe

"C:\Users\Admin\AppData\Local\Temp\0ex.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 13.89.179.8:443 tcp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[D18CD439-3483].[[email protected]].8base

MD5 5eaaa5ec75f6d39707f5a5239a91ae72
SHA1 f3feae0b1e6fef22d074a3ed884847c93d5b3522
SHA256 318f24de67848fbe3b4aac731012951e9a075c3cac577ae0de99a1b3b22c3575
SHA512 b8cbb824e45e9dd14d25265c96094a10ede1e89935f6709153e8d74cfffd82faafc0333d6bfc7f96688c435372c8034329030d2d70a49f48dca56e243315a14f

C:\info.hta

MD5 afef088838c720013c486621e7ffb163
SHA1 b4964fc859e891b05f75061324706ed764235076
SHA256 678748eaa572dd7fda56f19610f7edfbfd8d02f3067bbdb72619564c09caee0d
SHA512 eabdb45d68992c0211561830f1a9cc984622f59c5785dd1b1931ef596f3baeda839642b864a773b708cc6888b87ccb61eddcfd3b1579258cb5d9df9bca3f91b0

C:\Users\Admin\Desktop\info.hta

MD5 afef088838c720013c486621e7ffb163
SHA1 b4964fc859e891b05f75061324706ed764235076
SHA256 678748eaa572dd7fda56f19610f7edfbfd8d02f3067bbdb72619564c09caee0d
SHA512 eabdb45d68992c0211561830f1a9cc984622f59c5785dd1b1931ef596f3baeda839642b864a773b708cc6888b87ccb61eddcfd3b1579258cb5d9df9bca3f91b0

C:\users\public\desktop\info.hta

MD5 afef088838c720013c486621e7ffb163
SHA1 b4964fc859e891b05f75061324706ed764235076
SHA256 678748eaa572dd7fda56f19610f7edfbfd8d02f3067bbdb72619564c09caee0d
SHA512 eabdb45d68992c0211561830f1a9cc984622f59c5785dd1b1931ef596f3baeda839642b864a773b708cc6888b87ccb61eddcfd3b1579258cb5d9df9bca3f91b0

C:\info.hta

MD5 afef088838c720013c486621e7ffb163
SHA1 b4964fc859e891b05f75061324706ed764235076
SHA256 678748eaa572dd7fda56f19610f7edfbfd8d02f3067bbdb72619564c09caee0d
SHA512 eabdb45d68992c0211561830f1a9cc984622f59c5785dd1b1931ef596f3baeda839642b864a773b708cc6888b87ccb61eddcfd3b1579258cb5d9df9bca3f91b0

F:\info.hta

MD5 afef088838c720013c486621e7ffb163
SHA1 b4964fc859e891b05f75061324706ed764235076
SHA256 678748eaa572dd7fda56f19610f7edfbfd8d02f3067bbdb72619564c09caee0d
SHA512 eabdb45d68992c0211561830f1a9cc984622f59c5785dd1b1931ef596f3baeda839642b864a773b708cc6888b87ccb61eddcfd3b1579258cb5d9df9bca3f91b0

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 11:22

Reported

2023-06-30 11:25

Platform

win7-20230621-en

Max time kernel

150s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ex.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (312) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\BlockUpdate.tiff C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompareOut.tiff C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Pictures\RedoPush.tiff C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\0ex.exe C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0ex = "C:\\Users\\Admin\\AppData\\Local\\0ex.exe" C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\0ex = "C:\\Users\\Admin\\AppData\\Local\\0ex.exe" C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KSXRTYN9\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CPBW2FU\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKTA1QRP\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\O3WNZEP2\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\61AWXVYN\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QUA64EM4\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3GI9TKQG\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00164_.GIF.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285484.WMF C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3 C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Mozilla Firefox\osclientcerts.dll.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01169_.WMF.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18230_.WMF C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0305257.WMF.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\[email protected][8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\settings.ini C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\SUMIPNTG.ELM C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libstl_plugin.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0305257.WMF C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21328_.GIF.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00074_.WMF.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01357_.WMF C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187849.WMF C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\vcruntime140.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\F12Tools.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21324_.GIF.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\libxslt.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00299_.WMF C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBRPH2.POC.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\README.txt C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\sqlxmlx.dll C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00712_.WMF.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Median.eftx.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\ir.idl C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\SATIN.ELM.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00136_.WMF C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3EN.LEX.id[8F9D674D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1652 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1652 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2004 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2004 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2004 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1652 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1652 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1652 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2004 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2004 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2004 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2004 wrote to memory of 664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2004 wrote to memory of 664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2004 wrote to memory of 664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2004 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2004 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2004 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2004 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2004 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2004 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2032 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 2032 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 2032 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 2032 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 2032 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 2032 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 2032 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 2032 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 2032 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 2032 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 2032 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 2032 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\SysWOW64\mshta.exe
PID 2032 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\0ex.exe C:\Windows\system32\cmd.exe
PID 540 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 540 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 540 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 540 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 540 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 540 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 540 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 540 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 540 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 540 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 540 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 540 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 540 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 540 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 540 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\0ex.exe

"C:\Users\Admin\AppData\Local\Temp\0ex.exe"

C:\Users\Admin\AppData\Local\Temp\0ex.exe

"C:\Users\Admin\AppData\Local\Temp\0ex.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id[8F9D674D-3483].[[email protected]].8base

MD5 601d9a58147b63df07871e4842a711a1
SHA1 c13914f0811efe16e06886929d2a27f67a89a2f3
SHA256 f9f201d1b9357d1216c190bab19fbbf0677152fb85593447d8a44096b1c2c1b4
SHA512 1c9877a20b335d762eae6e57a73da41348612d145c597ceb70375bd4a3dfa7fef68bb7f060cf4d69a22e539c90b2848899e1be69667ab8067a2ea87903411ac5

C:\info.hta

MD5 377a7f69df7360efbce975a42f6d251b
SHA1 a044a458252c8e831eba67e462d5c3a711e23490
SHA256 7dfb3ba3925fbf94fef79ec890c338fc6625c4146db0796432de52ea5b9b6d8d
SHA512 4dcaa7f2388c067d0b6532fa6087486801031b660b5c4c20f966d296ef4abc5eb809d65313f9c3d71b887be2169b914b84ab2492b284b2ddcdc20a109479c300

C:\info.hta

MD5 377a7f69df7360efbce975a42f6d251b
SHA1 a044a458252c8e831eba67e462d5c3a711e23490
SHA256 7dfb3ba3925fbf94fef79ec890c338fc6625c4146db0796432de52ea5b9b6d8d
SHA512 4dcaa7f2388c067d0b6532fa6087486801031b660b5c4c20f966d296ef4abc5eb809d65313f9c3d71b887be2169b914b84ab2492b284b2ddcdc20a109479c300

C:\Users\Admin\Desktop\info.hta

MD5 377a7f69df7360efbce975a42f6d251b
SHA1 a044a458252c8e831eba67e462d5c3a711e23490
SHA256 7dfb3ba3925fbf94fef79ec890c338fc6625c4146db0796432de52ea5b9b6d8d
SHA512 4dcaa7f2388c067d0b6532fa6087486801031b660b5c4c20f966d296ef4abc5eb809d65313f9c3d71b887be2169b914b84ab2492b284b2ddcdc20a109479c300

C:\users\public\desktop\info.hta

MD5 377a7f69df7360efbce975a42f6d251b
SHA1 a044a458252c8e831eba67e462d5c3a711e23490
SHA256 7dfb3ba3925fbf94fef79ec890c338fc6625c4146db0796432de52ea5b9b6d8d
SHA512 4dcaa7f2388c067d0b6532fa6087486801031b660b5c4c20f966d296ef4abc5eb809d65313f9c3d71b887be2169b914b84ab2492b284b2ddcdc20a109479c300