Malware Analysis Report

2024-11-16 12:18

Sample ID 230704-paandacd84
Target 2288a0c896757647538a7dab5.exe
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb

Threat Level: Known bad

The file 2288a0c896757647538a7dab5.exe was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Renames multiple (473) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (310) files with added filename extension

Deletes backup catalog

Modifies extensions of user files

Modifies Windows Firewall

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-04 12:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-04 12:07

Reported

2023-07-04 12:09

Platform

win7-20230703-en

Max time kernel

150s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (310) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2288a0c896757647538a7dab5.exe C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2288a0c896757647538a7dab5 = "C:\\Users\\Admin\\AppData\\Local\\2288a0c896757647538a7dab5.exe" C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Windows\CurrentVersion\Run\2288a0c896757647538a7dab5 = "C:\\Users\\Admin\\AppData\\Local\\2288a0c896757647538a7dab5.exe" C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6INXWPIH\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GUA35OLJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K6HUUV9Y\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OXQ17C32\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IFXYB4PW\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G9GE2DVL\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QZC38O31\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1724861073-2584418204-2594431177-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Technic.eftx.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLAPPT.FAE C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SHOVEL.WAV C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Java\jre7\lib\security\javaws.policy.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER32.DLL C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liboggspots_plugin.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285780.WMF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\de-DE\TableTextService.dll.mui C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\hxdsui.dll.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14755_.GIF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RTF_BOLD.GIF.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ja.dll.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR16F.GIF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\RTF_BOLD.GIF.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageScript.js.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradient_plugin.dll.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34F.GIF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GreenTea.css.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02066_.WMF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0214098.WAV C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\jfr\profile.jfc C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21305_.GIF.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\OrielFax.Dotx.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Slipstream.thmx.id[FDD31F9C-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00255_.WMF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105600.WMF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2244 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2244 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1012 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1012 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1012 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1012 wrote to memory of 432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1012 wrote to memory of 432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1012 wrote to memory of 432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2244 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2244 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2244 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2244 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2244 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2244 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2244 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2244 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2244 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2244 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2244 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2244 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3008 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 3008 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 3008 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 3008 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 3008 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 3008 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 3008 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 3008 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 3008 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 3008 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 3008 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 3008 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 3008 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 572 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 572 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 572 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 572 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 572 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 572 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 572 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 572 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 572 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 572 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 572 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 572 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 572 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 572 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe

"C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe"

C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe

"C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

memory/3008-55-0x0000000000230000-0x000000000023F000-memory.dmp

memory/1528-57-0x0000000000400000-0x0000000000695000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.id[FDD31F9C-3483].[[email protected]].8base

MD5 4010b4533a6bd8bebdc4d127bceb955f
SHA1 ee6e7071491032fe0eba111017f4c94e36429d8c
SHA256 b8ac1b6348af78ca6791d7c539af9775de5ffa0349e4de52403ba655c8e29262
SHA512 4b14341cdf31e06c0719df8e27814390b18064647bbadccf426008bf1bf5eef6c811b5dc523a1eae809d95169d2511193cfb1f29c01ad3d3876552dc15651055

memory/3008-296-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3008-1319-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3008-2688-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3008-3569-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3008-5534-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3008-8097-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3008-10275-0x0000000000400000-0x0000000000695000-memory.dmp

C:\info.hta

MD5 8e94e49e7d86906c37ea1b9884217264
SHA1 eecf447b0f3cb0b8a8f9ca2daef7f486fdbaa45a
SHA256 9a480891d33081dae3c36d1ea39225a34a4e0924e04b470e5e01026f3c9351af
SHA512 2cb15f5b7ed8c9eab242b08a7e827b4c7db774d355b62bb10022e5dd76945cf022bdc9c9f1ebc21bd5a8a7b43d0038f5518fc383de1aaeaa845fc6479e10cbdf

C:\info.hta

MD5 8e94e49e7d86906c37ea1b9884217264
SHA1 eecf447b0f3cb0b8a8f9ca2daef7f486fdbaa45a
SHA256 9a480891d33081dae3c36d1ea39225a34a4e0924e04b470e5e01026f3c9351af
SHA512 2cb15f5b7ed8c9eab242b08a7e827b4c7db774d355b62bb10022e5dd76945cf022bdc9c9f1ebc21bd5a8a7b43d0038f5518fc383de1aaeaa845fc6479e10cbdf

C:\Users\Admin\Desktop\info.hta

MD5 8e94e49e7d86906c37ea1b9884217264
SHA1 eecf447b0f3cb0b8a8f9ca2daef7f486fdbaa45a
SHA256 9a480891d33081dae3c36d1ea39225a34a4e0924e04b470e5e01026f3c9351af
SHA512 2cb15f5b7ed8c9eab242b08a7e827b4c7db774d355b62bb10022e5dd76945cf022bdc9c9f1ebc21bd5a8a7b43d0038f5518fc383de1aaeaa845fc6479e10cbdf

C:\users\public\desktop\info.hta

MD5 8e94e49e7d86906c37ea1b9884217264
SHA1 eecf447b0f3cb0b8a8f9ca2daef7f486fdbaa45a
SHA256 9a480891d33081dae3c36d1ea39225a34a4e0924e04b470e5e01026f3c9351af
SHA512 2cb15f5b7ed8c9eab242b08a7e827b4c7db774d355b62bb10022e5dd76945cf022bdc9c9f1ebc21bd5a8a7b43d0038f5518fc383de1aaeaa845fc6479e10cbdf

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-04 12:07

Reported

2023-07-04 12:09

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (473) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\RepairSave.tiff C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2288a0c896757647538a7dab5.exe C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2288a0c896757647538a7dab5 = "C:\\Users\\Admin\\AppData\\Local\\2288a0c896757647538a7dab5.exe" C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2288a0c896757647538a7dab5 = "C:\\Users\\Admin\\AppData\\Local\\2288a0c896757647538a7dab5.exe" C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3195054982-4292022746-1467505928-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3195054982-4292022746-1467505928-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_k_col.hxk C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-64.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Microsoft.PowerShell.PackageManagement.resources.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-20.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\ui-strings.js.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf-2x.png.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACECORE.DLL.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_nl_135x40.svg.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\MicrosoftEdgeUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\PREVIEW.GIF.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\SharedUI.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-150.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-US.Calendar.model C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\help.svg.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\WideTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Themes.json C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\file_icons.png.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skypex-icon-white.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\core_icons_retina.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLMF.DLL.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Mozilla Firefox\application.ini.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\AppStore_icon.svg C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\msedgeupdateres_el.dll C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentDesktop_144x56.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\appstore.png.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.id[8E5A78EE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4852 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 4852 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 4852 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 4852 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 1280 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1280 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3376 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3376 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3376 wrote to memory of 4400 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3376 wrote to memory of 4400 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3376 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3376 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3376 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3376 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3376 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3376 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1280 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1280 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4852 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 4852 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 4852 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 4852 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 4852 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 4852 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 4852 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 4852 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 4852 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 4852 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 4852 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 4852 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\SysWOW64\mshta.exe
PID 4852 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 4852 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe C:\Windows\system32\cmd.exe
PID 4272 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4272 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4272 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4272 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4272 wrote to memory of 3944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4272 wrote to memory of 3944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4272 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4272 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4272 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4272 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe

"C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe"

C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe

"C:\Users\Admin\AppData\Local\Temp\2288a0c896757647538a7dab5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1256 -ip 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 460

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 8.195.19.2.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/4852-134-0x00000000023D0000-0x00000000023DF000-memory.dmp

memory/1256-136-0x0000000000400000-0x0000000000695000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[8E5A78EE-3483].[[email protected]].8base

MD5 59464b0037421a9b634942524d93919c
SHA1 7db4810fff3f6eb24675716726cb35949fcd5e98
SHA256 f12e24e9714b4c62b7d929384f582095afbf1d0c026ef220c1217dd5ce70406a
SHA512 95e1c7888b6730fc27db7059ba6f0a7e72a55878c94787069a9b0b2850c63413c1bebbb4c15caf7547e64b9cb5df49efeb7eea58bfb9df1a7b2d185d19ea5f59

memory/4852-644-0x0000000000400000-0x0000000000695000-memory.dmp

memory/4852-3129-0x0000000000400000-0x0000000000695000-memory.dmp

memory/4852-4626-0x0000000000400000-0x0000000000695000-memory.dmp

memory/4852-6306-0x0000000000400000-0x0000000000695000-memory.dmp

memory/4852-9442-0x0000000000400000-0x0000000000695000-memory.dmp

C:\info.hta

MD5 62fc4b6ac3469029384be458a30911bc
SHA1 9a3de7e80fb892507e685c0519ed40bb939e31ed
SHA256 ea45344e96fa0873c790e613c2661ae132cf56504f6735090165de83ed555576
SHA512 c8868187f61e4582bd29b2d33eb2e88fa9bd4f2bc1d86b99467c549903e7f58bd3d50db6fce8357cfb350be491fc7864d99b5213478503e00acc8e3c0a4a3b68

C:\Users\Admin\Desktop\info.hta

MD5 62fc4b6ac3469029384be458a30911bc
SHA1 9a3de7e80fb892507e685c0519ed40bb939e31ed
SHA256 ea45344e96fa0873c790e613c2661ae132cf56504f6735090165de83ed555576
SHA512 c8868187f61e4582bd29b2d33eb2e88fa9bd4f2bc1d86b99467c549903e7f58bd3d50db6fce8357cfb350be491fc7864d99b5213478503e00acc8e3c0a4a3b68

C:\info.hta

MD5 62fc4b6ac3469029384be458a30911bc
SHA1 9a3de7e80fb892507e685c0519ed40bb939e31ed
SHA256 ea45344e96fa0873c790e613c2661ae132cf56504f6735090165de83ed555576
SHA512 c8868187f61e4582bd29b2d33eb2e88fa9bd4f2bc1d86b99467c549903e7f58bd3d50db6fce8357cfb350be491fc7864d99b5213478503e00acc8e3c0a4a3b68

C:\users\public\desktop\info.hta

MD5 62fc4b6ac3469029384be458a30911bc
SHA1 9a3de7e80fb892507e685c0519ed40bb939e31ed
SHA256 ea45344e96fa0873c790e613c2661ae132cf56504f6735090165de83ed555576
SHA512 c8868187f61e4582bd29b2d33eb2e88fa9bd4f2bc1d86b99467c549903e7f58bd3d50db6fce8357cfb350be491fc7864d99b5213478503e00acc8e3c0a4a3b68

F:\info.hta

MD5 62fc4b6ac3469029384be458a30911bc
SHA1 9a3de7e80fb892507e685c0519ed40bb939e31ed
SHA256 ea45344e96fa0873c790e613c2661ae132cf56504f6735090165de83ed555576
SHA512 c8868187f61e4582bd29b2d33eb2e88fa9bd4f2bc1d86b99467c549903e7f58bd3d50db6fce8357cfb350be491fc7864d99b5213478503e00acc8e3c0a4a3b68

memory/4852-12081-0x0000000000400000-0x0000000000695000-memory.dmp